Normally I use a custom function that goes through quite a few string replaces to help secure my my db’s from html forms . And I know that I am going to eventually have to write preg matches for all of them (I have some) but I recently stumbled across a bit of code
$newemail=(htmlspecialchars(mysql_real_escape_string($_POST['email']),ENT_QUOTES,"UTF-8"));
Is this good for mysql vulnerabilities ?
You only need mysql_real_escape_string. Anything added is pointless.
Could skip all of that and just use Prepared Statements.
Thanks logic earth,
I thought encoding was to help protect against cross site attacks,
If by prepared you mean “SELECT id,name FROM table WHERE match=”‘.$value.’“;” I got that. At either rate I had problems with the above code so I am just gonna have to use my string replaces until I write the proper regular expression.
Just thought it might help in a basic scenario
No, I’m talking about Prepared Statements.