0

I'm trying to enter 'validation - the confirmation of an email' and it fails because VALIDATION is a keyword in MySQL. do I need to escape the first letter? In this case the v in validation? Do word/key replacement after checking for the destination key? or is there a simpler method?

I currently have:

$db->issue("INSERT INTO tasks (task,added) VALUES('".htmlentities($task,ENT_QUOTES|ENT_HTML401)."',curdate())");
Lawrence Cherone
  • 46,049
  • 7
  • 62
  • 106
Tim de Vries
  • 1
  • 2
  • $task = 'validation - verifying an email exists, is working, and the user has access to it.' – Tim de Vries Dec 01 '20 at 00:07
  • 5
    Don't try to sanitize manually. Use [mysqli prepared statements](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) or [PDO](https://www.php.net/manual/en/book.pdo) (recommended) instead. – El_Vanja Dec 01 '20 at 00:08
  • 1
    Besides, why do you feel the need to run `htmlentities` on a string like that? – El_Vanja Dec 01 '20 at 00:10
  • If a piece of data is interpreted as part of the sql statement, you have a potential sql injection vulnerability. Pls see the answers to the duplicate topic to avoid such vulnerability. – Shadow Dec 01 '20 at 00:49

0 Answers0