PHP SQL Injection Prevention With String Operations [duplicate]

Question

Possible Duplicate:
Best way to prevent SQL injection in PHP?

I have been doing some research about SQL Injection but I have some questions that I couldn't find answer to. Isn't it possible to prevent SQL injection attacks on string levels? What I mean is, can't we prevent it by;

• Finding illegal characters before processing them through mysql queries?

  $postID = $_POST['id'];
  if($postID contains characters)
      remove characters;
  if($postID still contains characters)
      then exit;
  else
      mysql_real_escape_string($postID); //just in case?
  continue to do whatever you are doing...
  

Is it really necessary to use PDO/mysqli stuff? Is it sufficient to analyze your sql strings to be processed in mysql? Please keep in mind that I am not a PHP or MySQL expert while replying. I am someone who is trying to learn about them.

Answer 1

Sure, you can protect against injection with mysql_real_escape_string($postID), as long as you don't mind a query every time you call the function.

PDO and MySQLi provide a lot more than just injection protection. They allow for prepared statements that can protect agaisnt injection without multiple calls to the db. This means faster overall performance. Imagine trying to insert to a table a user record with 30 columns... that's a lot of mysql_real_escape_string() calls.

Prepared statements send all the data at once along with the query and escape it on the server in one request. Mysql DB's support prepared statments, the old php mysql_ libraries don't support them.

Time to move on to mysqli or preferrably PDO--you'll never look back.