Best practices when writing to mysql?

attuk · April 4, 2010, 1:36pm

Hi all :),
What are the best practices when it comes to writing to mysql
for example
to deal with
Special characters as
apostrophes (')
"
&
etc

I’ve used
addslashes()
mysql_real_escape_string()

// escape username and password for use in SQL
$user = mysql_real_escape_string($user);
$pwd = mysql_real_escape_string($pwd);

$sql = “SELECT * FROM users WHERE
user='” . $user . “’ AND password='” . $pwd . “'”

====================

OR
PDO Prepared Statements (of which I know nothing !)

How do you write to mysql ?
Thanks for any advice

djjjozsi · April 4, 2010, 2:24pm

You should always encrypt the user’s passwords.
Validate the user inputs, if its a username at all.
To prevent username duplications add a unique key to the database, and handle mysql_errno() value 1062.
Use PDO if you know the basic methods only.

Never use addslashes() AND mysql_real_escape_string() on one input!

Jake_Arkinstall · April 4, 2010, 3:05pm

The best possible practice is PDO. Data doesn’t need to be escaped, it supports (and promotes) prepared statements and it also makes queries look cleaner.

If you don’t know much (or anything about PDO) - this is your opportunity to learn something new

attuk · April 4, 2010, 3:19pm

Thanks very much djjjozsi !
Great blog by the way !

attuk · April 4, 2010, 3:21pm

Thanks Jake !
Definitely I will tryout PDO

Best practices when writing to mysql?

I’ve used addslashes() mysql_real_escape_string()

I’ve used
addslashes()
mysql_real_escape_string()