How to sanitize data in php in order to avoid SQL injection?

Question

I already used the PDO:

        $stmt = $aPDO->prepare("INSERT INTO ".$this->getM_oUser()->getM_sTableName()." (email, hash_pw, hash_key) VALUES (:email, :hash_pw, :hash_key)");                                             
        $stmt->bindValue(':email', $this->getM_oUser()->getM_sEmail());
        $stmt->bindValue(':hash_pw', $this->getM_oUser()->getM_sHash_pw());
        $stmt->bindValue(':hash_key', $this->getM_oUser()->getM_sHash_Key());

        $stmt->execute();

Should I also use mysql_real_escape_string() to handle the user input string? Thank you.

possible duplicate of [Are PDO prepared statements sufficient to prevent SQL injection?](http://stackoverflow.com/questions/134099/are-pdo-prepared-statements-sufficient-to-prevent-sql-injection) — Haim Evgi, Aug 01 '11 at 08:44

score 1 · Answer 1 · answered Aug 01 '11 at 08:44

1

Using prepared statements with bound parameters is enough. You don't need to use mysql_real_escape_string (and you probably could not even if you wanted -- you 'd need a MySql connection resource in hand to do it).

answered Aug 01 '11 at 08:44

Jon

428,835
81
738
806

score 0 · Answer 2 · answered Aug 01 '11 at 09:36

I'd do something like that to exclude a lot of useless characters from your table name:

$tableName = '`' . preg_replace('`[^-a-zA-Z0-9_]`', $this->getM_oUser()->getM_sTableName()).'`';
$stmt = $aPDO->prepare("INSERT INTO ".$tableName." (email, hash_pw, hash_key) VALUES (:email, :hash_pw, :hash_key)");

How to sanitize data in php in order to avoid SQL injection?

2 Answers2