4
I am developing a project that involves pass words among other important infomations that I need to insert into the mysql database.
My question is which option should I use to escape this data against sql Injection. I am currently using a regular expression that removes unwanted characters. I am using PDO.
2
mysql_real_scape_string() should be discarded because it is obsolete, removed from php7 and requires a mysql connection_*.
Let the PDO handle escaping characters using Prepared statements.
Recommended reading:
Using addslashes against SQL injection is safe?
I was reading a little about the addslashes and I was in doubt because there was an article that explained that this method was not safe. Hence my doubt.
Using addslashes is almost the same as forcing the use of quotes in the PDO, this is kind of the idea.
Browser other questions tagged php sql
You are not signed in. Login or sign up in order to post.
To enter data into the database, use the
mysql_real_escape_string, then if possible explain better why. Take advantage and read this - Why not use mysql functions_*– Edilson