SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Member
    Join Date
    Oct 2010
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    FILTER_SANITIZE_STRING vs. mysql_real_escape_string

    Hi All,

    I had been using only mysql_real_escape_string to clean my form input data before inserting into a mysql table.

    Recently I came across PHP's internal filter / validation functions, and I want to use them.

    So my question is this:

    If I use FILTER_SANITIZE_STRING & FILTER_SANITIZE_EMAIL to cleanup form input data do I have to then run it through mysql_real_escape_string before inserting into my database?

    Thanks in advance,

    Robert

  2. #2
    I solve practical problems. bronze trophy
    Michael Morris's Avatar
    Join Date
    Jan 2008
    Location
    Knoxville TN
    Posts
    2,011
    Mentioned
    57 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by texassprayfoam View Post
    Hi All,

    I had been using only mysql_real_escape_string to clean my form input data before inserting into a mysql table.

    Recently I came across PHP's internal filter / validation functions, and I want to use them.

    So my question is this:

    If I use FILTER_SANITIZE_STRING & FILTER_SANITIZE_EMAIL to cleanup form input data do I have to then run it through mysql_real_escape_string before inserting into my database?

    Thanks in advance,

    Robert
    If you do not have so much code in your project that you're committed simply use PDO. It's a lot less of a hassle.

  3. #3
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    I'd second the use of PDO.

    If you're not sure of the benefits, here's a quick (imperfect) overview of the standard mysql library:

    1. Variables get inserted into SQL string
    2. The SQL string as a whole is sent to MySQL
    3. MySQL parses the string passed as a single entity


    Any unescaped data, as I'm sure you're aware, can corrupt the query and cause all kinds of problems.

    In PDO, however, it works a little something like (again, imperfect example to simplify):

    1. The basic query string, without the variables inserted, is sent to MySQL
    2. MySQL figures out what to do when data (the variables) come in
    3. The variables are sent from PHP to MySQL via PDO. As they aren't in the command string itself, they have no effect on the workings of the query
    4. If multiple sets of data are sent, the original set instructions (#2) are reimplemented, saving processing time
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  4. #4
    SitePoint Member
    Join Date
    Oct 2010
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Wow! I really appreciate you guy's recommendation of PDO. However implementing an abstraction layer is way beyond what I'm trying to do. I should have been more clear.

    I've got a pretty simple form with a few fields, that gets stored in a DB upon submit, then emails me the info as well.

    I was using mysql_real_escape_string to escape the data before inserting into the db, and I wanted to use FILTER_SANITIZE_EMAIL to prevent injection attacks.

    Thus my question:

    If I use FILTER_SANITIZE_STRING & FILTER_SANITIZE_EMAIL to cleanup form input data do I have to then run it through mysql_real_escape_string before inserting into my database?

  5. #5
    @php.net Salathe's Avatar
    Join Date
    Dec 2004
    Location
    Edinburgh
    Posts
    1,396
    Mentioned
    55 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by texassprayfoam View Post
    If I use FILTER_SANITIZE_STRING & FILTER_SANITIZE_EMAIL to cleanup form input data do I have to then run it through mysql_real_escape_string before inserting into my database?
    Yes.
    Salathe
    Software Developer and PHP Manual Author.

  6. #6
    SitePoint Member
    Join Date
    Oct 2010
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thankx

  7. #7
    I solve practical problems. bronze trophy
    Michael Morris's Avatar
    Join Date
    Jan 2008
    Location
    Knoxville TN
    Posts
    2,011
    Mentioned
    57 Post(s)
    Tagged
    0 Thread(s)
    Just be warned that function is glitchy and doesn't always work.

  8. #8
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    8,907
    Mentioned
    139 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by Michael Morris View Post
    Just be warned that function is glitchy and doesn't always work.
    That has never been actually proven has it? Not saying you're wrong but rather thinking out loud here
    Rémon - Hosting Advisor

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •