What is better (more secure) way to handle SQL injections ?
$var = filter_var($_POST['var'], FILTER_SANITIZE_STRING);
or
mysqli_real_escape_string($link, $_POST['var']);
Asked
Active
Viewed 20 times
0
Marky Mark
- 103
- 2
- 12
-
5Use prepared statements and bind variables. – Nigel Ren Sep 30 '17 at 09:38
-
I've used prepared statements. Just wondering if it's the only way to ensure security. – Marky Mark Sep 30 '17 at 09:40
-
There are some well read (and written) posts on SQL injection, https://stackoverflow.com/questions/134099/are-pdo-prepared-statements-sufficient-to-prevent-sql-injection?rq=1, https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – Nigel Ren Sep 30 '17 at 09:42
-
Not the only way, just the best. – Barmar Sep 30 '17 at 09:49