What is the best way to avoid sql inject [duplicate]

1

I have 2 ways to prevent against sql inject, they are:

1st

$input = $conexao->real_escape_string($input);

2nd

$input = filter_var ($input, FILTER_SANITIZE_SPECIAL_CHARS);

Query

select * from cadastro where nome = '".$input."' LIMIT 1

What's the best way?

Does real_escape_string consume mysql or php server resource?

    
asked by anonymous 09.08.2017 / 18:56

1 answer

2

Using PDO also helps

 $query = "SELECT* FROM cadastro WHERE nome = :nome LIMIT 1";

 $stmt = $this->connection->prepare($query);
 $stmt->bindValue(":nome", $input, PDO::PARAM_STR);

So you define what kind of variable goes for each parameter PDO::PARAM_STR

    
09.08.2017 / 20:02