Menu
Im just wondering, would the following be completely safe or would someone be able to get around it using hexadecimal characters, etc:
$name = mysql_real_escape_string(htmlentities(stripslashes($_REQUEST['name'])));
$query ="SELECT * FROM Games WHERE name LIKE '%{$name}%'";
Thanks.
I know I can use PEAR and other libraries to make prepeared statements. However this question is specifically regaring raw queries.
561
mysql_real_escape_string does the trick,.,
[EDIT]
for string use:
$str = mysql_real_escape_string($input);
for numeric values type casting is sufficient like:
$val = (int)$input;
Use parametrized prepared-statements, along with PDO, this will give You the most secure way of sending queries, that PHP can offer, and You'll not have to deal with escaping at all, using that way
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
