PHP: Is mysql_real_escape_string sufficient for cleaning user input?

by

mysql_real_escape_string is not sufficient in all situations but it is definitely very good friend. The better solution is using Prepared Statements

//example from http://php.net/manual/en/pdo.prepared-statements.php

$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
$stmt->bindParam(1, $name);
$stmt->bindParam(2, $value);

// insert one row
$name="one";
$value = 1;
$stmt->execute();

Also, not to forget HTMLPurifier that can be used to discard any invalid/suspicious characters.

………..

Edit:
Based on the comments below, I need to post this link (I should have done before sorry for creating confusion)

mysql_real_escape_string() versus Prepared Statements

Quoting:

mysql_real_escape_string() prone to
the same kind of issues affecting
addslashes().

Chris Shiflett (Security Expert)

More Related Contents:

  1. How Secure Is This Login System? (Using Cookies In PHP)
  2. What are the best practices for avoiding xss attacks in a PHP site [closed]
  3. When should I use prepared statements?
  4. “Keep Me Logged In” – the best approach
  5. Full Secure Image Upload Script
  6. What does it mean to escape a string?
  7. PHP $_SERVER[‘HTTP_HOST’] vs. $_SERVER[‘SERVER_NAME’], am I understanding the man pages correctly?
  8. PHP MySQLI Prevent SQL Injection [duplicate]
  9. How to fake $_SERVER[‘REMOTE_ADDR’] variable?
  10. Best way to defend against mysql injection and cross site scripting
  11. Are mysql_real_escape_string() and mysql_escape_string() sufficient for app security?
  12. Login without HTTPS, how to secure?
  13. Is it safe to trust $_SERVER[‘REMOTE_ADDR’]?
  14. how safe are PDO prepared statements
  15. How to get rid of eval-base64_decode like PHP virus files?
  16. How can I relax PHP’s open_basedir restriction?
  17. How to run PHP exec() as root?
  18. Hiding true database object ID in url’s
  19. CodeIgniter – why use xss_clean
  20. How to enable DDoS protection?
  21. Is htmlspecialchars enough to prevent an SQL injection on a variable enclosed in single quotes?
  22. Why should I use $_GET and $_POST instead of $_REQUEST? [duplicate]
  23. Codeigniter CSRF – how does it work
  24. How to protect my source code when deployed?
  25. Set httpOnly and secure on PHPSESSID cookie in PHP
  26. Does PHP’s $_REQUEST method have a security problem?
  27. is $_SERVER[‘HTTP_REFERER’] safe?
  28. Json: PHP to JavaScript safe or not?
  29. Limiting user login attempts in PHP [duplicate]
  30. What encryption algorithm is best for encrypting cookies?

Leave a Comment