开发者

mysql_real_escape_string(htmlspecialchars( $value )); is enough? how can i easly improve it?

i'm using this in every $_get or $_post before acces or insert to my Database..

i'm sure it's not eno开发者_开发问答ugh.. but how safe is it? can i combine it with some expresion to make it safer?

thanks a lot!

so how about this? mysql_real_escape_string(htmlspecialchars( $value ));


No, that is not enough. You should use mysql_real_escape_string to prevent sql injection attacks.


mysql_escape_string($value) is a bit smarter when sanitizing strings that will be used in an SQL query.


You should use mysql_real_escape_string() to protect your database from injection attacks (or better yet, prepared statements with something like the PDO library) and htmlspecialchars() when you're displaying data pulled from a database.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜