Should I still misinform the input with mysqli?

Question

Should I still misinform the input with mysqli?

I use prepared mysqli commands. Should I still misinform user input with some function, for example:

function sanitise($string){
  $string = strip_tags($string); // Remove HTML
  $string = htmlspecialchars($string); // Convert characters
  $string = trim(rtrim(ltrim($string))); // Remove spaces
  $string = mysql_real_escape_string($string); // Prevent SQL Injection
  return $string;
}

Thank.

+3

php

Jay Mar 09 '11 at 0:23

source share

4 answers

.. mysql, , , .

. PHP: mysql_real_escape_string ?

:

mysql, real_mysql_scape_string scape .

+2

amosrivera 09 . '11 0:25

The prepared statements contain that your request form is subject to malicious input. But there is a lot of malicious content that fits perfectly in the SQL query, but will attack the browser when re-viewed later.

Running mysql_real_escape_string for the data coming into the prepared statement is usually redundant (there are exceptions, but these are special cases).

0

Marc b Mar 09 '11 at 0:26

source share

You should always sanitize your user entries before submitting them to the database. I would just stick with mysql_real_escape_string, as others are not really needed unless you return them to the URL.

-1

Rasika Mar 09 '11 at 0:26

source share

RichardTheKiwi · Accepted Answer · 2011-03-09T00:27:48+0000

No! No and no. If you are already using prepared statements, MySQL should see the value, not some escaped version. If you add mysql_real_escape_stringto the line and make this value for the prepared statement, you just ruined it, for example, quotes are doubled!

, , - , . strip_tags html- > raw (format), . , rtrim(ltrim - -.

Should I still misinform the input with mysqli?

More articles: