mysql - What do I need to escape when sending a query?

mysql - What do I need to escape when sending a query?

When you execute a SQL query, you have to clean your strings or users can execute malicious SQL on your website. I usually just have a function escape_string(blah), which: Replaces escapes(\) with…


php - How do you manage SQL Queries

At the moment my code(PHP) has too many SQL queries in it. eg...// not a real example, but you get the idea... $results=$db->GetResults("SELECT*FROM sometable WHERE iUser=$userid"); if($result…


Best way to avoid code injection in PHP

My website was recently attacked by, what seemed to me as, an innocent code:<?php if(isset( $_GET['page'])){include( $_GET['page'].".php");}else{include("home.php");}?>…


How can I prevent SQL injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable=$_POST['user_input']; my…


Variable binding in PHP ADOdb

Does ADOdb do data sanitation or escaping within the same functionality by default? Or am I just confusing it with Code Igniter's built-in processes? Does binding variables to parameters in ADOdb for…


Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?

Earlier today a question was asked regarding input validation strategies in web apps. The top answer, at time of writing, suggests in PHP just using htmlspecialchars and mysql_real_escape_string. My…


Best practices in PHP and MySQL with international strings

It often happens that characters such as é gets transformed to é, even though the collation for the MySQL DB, table and field is set to utf8_general_ci. The encoding in the Content-Type for the page…


mysql_real_escape_string() leaving slashes in MySQL

I just moved to a new hosting company and now whenever a string gets escaped using: mysql_real_escape_string($str); the slashes remain in the database. This is the first time I've ever seen this happ…



Ensuring MySQL connection works in PHP function

I have code with the following form:<?php function doSomething{//Do stuff with MySQL $con->tralalala();}$con=connectToDatabase;//This would actually be a line or two. doSomething(); ?> This…


php - What does mysql_real_escape_string() do that addslashes() doesn't?

Why do we need a DB-specific functions like mysql_real_escape_string()? What can it do that addslashes() doesn't? Ignoring for the moment the superior alternative of parameterized queries, is a webap…




php sql injection mysql string escape mysqli_real_escape_string how characters working