SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Member
    Join Date
    Mar 2010
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Best practices when writing to mysql ?

    Hi all ,
    What are the best practices when it comes to writing to mysql
    for example
    to deal with
    Special characters as
    apostrophes (')
    "
    &
    etc

    I've used
    addslashes()
    mysql_real_escape_string()
    -------------------------------
    // escape username and password for use in SQL
    $user = mysql_real_escape_string($user);
    $pwd = mysql_real_escape_string($pwd);

    $sql = "SELECT * FROM users WHERE
    user='" . $user . "' AND password='" . $pwd . "'"

    ====================

    OR
    PDO Prepared Statements (of which I know nothing !)

    How do you write to mysql ?
    Thanks for any advice

  2. #2
    SitePoint Enthusiast
    Join Date
    Nov 2009
    Posts
    70
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You should always encrypt the user's passwords.
    Validate the user inputs, if its a username at all.
    To prevent username duplications add a unique key to the database, and handle mysql_errno() value 1062.
    Use PDO if you know the basic methods only.

    Never use addslashes() AND mysql_real_escape_string() on one input!

  3. #3
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    The best possible practice is PDO. Data doesn't need to be escaped, it supports (and promotes) prepared statements and it also makes queries look cleaner.

    If you don't know much (or anything about PDO) - this is your opportunity to learn something new
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  4. #4
    SitePoint Member
    Join Date
    Mar 2010
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks very much djjjozsi !
    Great blog by the way !

    Quote Originally Posted by djjjozsi View Post
    You should always encrypt the user's passwords.
    Validate the user inputs, if its a username at all.
    To prevent username duplications add a unique key to the database, and handle mysql_errno() value 1062.
    Use PDO if you know the basic methods only.

    Never use addslashes() AND mysql_real_escape_string() on one input!

  5. #5
    SitePoint Member
    Join Date
    Mar 2010
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks Jake !
    Definitely I will tryout PDO

    Quote Originally Posted by Jake Arkinstall View Post
    The best possible practice is PDO. Data doesn't need to be escaped, it supports (and promotes) prepared statements and it also makes queries look cleaner.

    If you don't know much (or anything about PDO) - this is your opportunity to learn something new


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •