Is using preg_replace safe enough for validating user input for php and mysql?

Question:

Brooke

2009-10-10 10:28:17 UTC

Is this safe enough to use?

$safe_user_input = preg_replace("/[^a-zA-Z0-9\-\/]/", "", $_GET['user_input']);

$sql = "update my_table set user_input = '" . $safe_user_input . "' ";

Assuming I allow slashes, dashes, letters, and numbers only.
I use different methods if I need to include quotes.

Three answers:

EFG

2009-10-10 10:35:49 UTC

or just use mysql_real_escape_string()

kantzer

2016-11-29 05:40:31 UTC

Mikhus is physically powerful. "get away" all variables which you incredibly desire to apply interior queries utilising between the aforementioned applications. purely changing apostrophes (') works for lots of the strings yet while a committed function is there (which tests for different particular characters besides) why not use it. nevertheless, do not double get away your enter. Disable magic expenses and revise your code to function instruction manual escaping or you will finally end up storing strings mutually with "Zak's pc" on your database.

treemonster

2009-10-13 21:08:42 UTC

you can pass the input strong through four function for cleaning

trim()

stripslashes()

htmlspecialchars()

and

other mentioned ..

ⓘ

This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.

about - legalese