Kevin Harrison

Entries from September 2009

Tuesday, September 15. 2009

Sanatizing mysql inputs with php Posted by Kevin Harrison at 12:40

Comments (0)
Trackbacks (0)
Defined tags for this entry: ,

Sanatizing mysql inputs with php

There are multiple options obviously for PHP, and one should use the quoting option provided by the ORM or extension one is using.

The most common ways are either MySQL/MySQLi or though PDO.

<?php
//
//MYSQL
//
$conn = mysql_connect(/ AUTH /);

//The mysqli driver also provides mysqli_real_escape_string()
$result = mysql_query(sprintf(
"UPDATE users SET name = '%s'",
mysql_real_escape_string($_GET['name'])
));

//
//PDO (Multiple DB Backends)
//
$conn = new PDO(/ DSN /);

//PDO::quote(...) alters quoting style depending on the DB driver
//CAVEAT: PDO_ODBC does not properly implement the quote feature
$stmt = $conn->prepare("UPDATE users SET name = :name");
$stmt->execute(array(
':name' => $_GET['name'],
));

//Best practice to typecast values that should always be integers
$rows = $conn->query(sprintf(
"SELECT id, name FROM users WHERE id = %s",
$conn->quote((int)$_GET['id'], PDO::PARAM_INT)
));

?>
Bookmark Sanatizing mysql inputs with php at del.icio.us Digg Sanatizing mysql inputs with php Bloglines Sanatizing mysql inputs with php Technorati Sanatizing mysql inputs with php Fark this: Sanatizing mysql inputs with php Bookmark Sanatizing mysql inputs with php at YahooMyWeb Bookmark Sanatizing mysql inputs with php at Furl.net Bookmark Sanatizing mysql inputs with php at reddit.com Bookmark Sanatizing mysql inputs with php at NewsVine Bookmark Sanatizing mysql inputs with php at blogmarks Bookmark Sanatizing mysql inputs with php at Ma.gnolia.com Bookmark using any bookmark manager! Stumble It!
« previous page   (Page 1 of 1, totaling 1 entries)   next page »
Frontpage

Quicksearch

Archives

May 2012
April 2012
March 2012
Recent...
Older...

Syndicate This Blog

Blog Roll

Show tagged entries