Question:
what do i replace mysql_real_escape_string with?
Natalie Oturovich
2014-01-04 02:18:19 UTC
Really, I needed this hours ago and am about to start crying from the stress. There is no rational reason to replace this 1 argument, simple, easy to use form with the -so far NEVER working- mysqli::thing or the mysqli_real_escape_string that when I give it the REQUIRED escape string 2nd argument, just coughs back some error about a string that exists nowhere in my code.

Please, Please!
Does anyone know where I can just find source to a php function to strip all SQL, HTML, XML, etc injection and risks out of form data?
I can't even do it by brute force with ereg because That was depreciated too.
Three answers:
anonymous
2014-01-04 03:03:02 UTC
are any of these solutions any good for you



http://stackoverflow.com/questions/1162491/alternative-to-mysql-real-escape-string-without-connecting-to-db



https://forums.digitalpoint.com/threads/what-to-use-instead-of-mysql_real_escape_string.2645362/
looniper
2014-01-04 19:21:13 UTC
To strip out everything that could pose a risk you could simply remove All non alpha-numeric data from what is submitted.

If that takes out too much - if you are using emails etc - you could try using the various filters options.



look up filter_var() and the associated FILTER_ flags.



filter_var($cleanthis, FILTER_SANITIZE_EMAIL);

strips everything not typically valid in an email address from $cleanthis.



You can couple it with the use of FILTER_VALIDATE_EMAIL in place of the sanitize flag to test the string's validity As an email. (just the validity, not whether or not it exists of course)



It sounds like you are looking for something like

filter_var($cleanthis, FILTER_SANITIZE_STRING);



Keep in mind tho, this doesn't remove all risks - nothing so far does.
noob
2014-01-04 14:29:09 UTC
It would be best if you could attach the problematic part of the code you are writing.



However, the preferred way of dealing with SQL injections now is using prepared statements. It is a little bit tough to learn and implement if you are new, but it's worth it for its security advantage. See this: http://mattbango.com/notebook/code/prepared-statements-in-php-and-mysqli/


This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.
Loading...