0

I have recently begun learning and practicing PHP/MySQL and wrote a comment/note system. I am having trouble sanitizing the input, escape characters.

    <?php
include($_SERVER['DOCUMENT_ROOT'].'/includes/dbh.php');
$newNote = mysqli_real_escape_string($conn, $_POST['note']);

if (empty($newNote)){
        header("Location: /admin/notes.php?error=empty");
        exit();
} else {
        $dt = date('M d, Y ');
        $sql = "INSERT INTO notes (dt, note) VALUES ('$dt', '$newNote')";
        $result = mysqli_query($conn, $sql);
        header("Location: /admin/notes.php?success");
    }
?>

Do I want to be sanitizing the $result variable or the $sql variable? I had this working properly earlier before changed were made and I am somewhat certain the $newNote variable is still sanitizing properly. I'd like to be certain.

$sql is just setting the stage, not doing anything and when $result is run that is when the query happens. So I would want to sanitize before the query.

Should I research PDO and drop mysqli?

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
The Dude man
  • 383
  • 6
  • 19
  • 1
    try `prepare` & `bind_param` functions. see the [link](http://stackoverflow.com/questions/2353666/php-is-mysql-real-escape-string-sufficient-for-cleaning-user-input) – gaurav Feb 15 '17 at 07:11
  • Yes, you should research PDO and drop mysqli, simply because the latter is too complex for you – Your Common Sense Feb 15 '17 at 07:20
  • 1
    It's great that you're learning. One important thing to consider is evaluating if picking up a [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) would help. These give you *considerable* support when working with databases and developing web applications that the PHP core simply can't match. [Laravel](http://laravel.com/) is a great example of one that's well documented, easy to learn, and has a lot of community support. These sorts of database problems are mostly non-issues in any ORM as well. – tadman Feb 15 '17 at 07:23
  • Have a look and see if [Doctrine](http://www.doctrine-project.org/), [Propel](http://propelorm.org/) or [Eloquent](https://laravel.com/docs/5.4/eloquent) might help with your database interfacing code. More advice on [PHP the Right Way](http://www.phptherightway.com/). – tadman Feb 15 '17 at 07:23
  • I very much forward to using Laravel. I wanted to start smaller to get a full idea of what I am doing, piece by piece. I will look into "PHP the right way" for sure. – The Dude man Feb 15 '17 at 21:57

0 Answers0