I’m aware that using ‘mysql_real_escape_string’ should no longer be encouraged for sanitizing input data and have began making the steps to moving to PDO. But what about form validation? Simply making sure that contact details are safe. Are there any good, easy to understand tutorials around that any poster on here would recommend to be viewed and used in real life projects?
mysql_real_escape_string was never for sanitising but rather to prevent a query failing if it contained certain characters (single quotes). This happens to prevent prevent injections but is not a security feature per se.
Check out fretburner link; the PHP filters are pretty good though sometimes you may need to add a bit of your own sanitising in there.
Yes, I agree that mysql_real_escape_string is not meant for sanitising and whether you use this or PDO doesn’t make any difference on security as long as you use the tools properly. But yes, the old mysql extension is deprecated so it’s a good idea to move to PDO or mysqli.
However, I personally dislike PHP’s filter functions. While they are a good idea they are very poorly implemented. The specific filters often don’t do what they should be doing, for example FILTER_SANITIZE_NUMBER_FLOAT or FILTER_SANITIZE_NUMBER_INT can result in corrupted numbers like ++++039430–23.
FILTER_SANITIZE_STRING for me doesn’t make sense as it always strips html tags. I have made so many sites and online systems and I haven’t come up across a single case where I would want or need to strip tags of user submitted input - with the proper escaping of output this is not necessary for security at all. However, I think FILTER_SANITIZE_STRING should be able to remove stuff like unprintable control characters or sanitize corrupted strings in multi-byte Unicode character sets - such important stuff is lacking there. I have tried these functions and have no need to touch them again, especially that in 90% they replicate what other functions are already doing. Good idea, flawed execution.