How to treat the string to avoid SQL Injection? [duplicate]

1

I have the following code:

$nome = $_POST['nome'];
$ip = preg_replace("/[^a-zA-Z0-9\.]/", "", $_POST['ip']);
$porta = preg_replace("/[^0-9\s]/", "", $_POST['porta']);
$site = preg_replace("/[^a-zA-Z0-9\.]/", "", $_POST['site']);

I'm handling some variables with the exception of one, as it needs to accept accentuation, how do I treat this variable correctly to avoid SQL Injection ? And get her to accept accents, strokes, and brackets?

    
asked by anonymous 18.01.2017 / 04:53

2 answers

1

You can use mysql_real_escape_string ( Documentation )

This function will not make you lose unwanted characters, such as the way you are doing. They will be encoded so that MYSQL understands them as part of string , not part of the code.

    
18.01.2017 / 05:05
6

Please note that mysql_real_escape_string is OBSOLETE (see documentation in English)!

  

Warning   This extension was deprecated in PHP 5.5.0, and it was removed in PHP 7.0.0. Instead, the MySQLi or PDO_MySQL extension should be used. See also MySQL: choosing an API guide and related FAQ for more information.

     

Alternatives to this function include:

     

mysqli_real_escape_string ()

     

PDO :: quote ()

I recommend using PDO or , always with prepare .

There's already an excellent answer from @rray on this subject: How to prevent SQL injection in my PHP code

    
18.01.2017 / 11:05