What is the best way to avoid sql inject [duplicate]

Question

What is the best way to avoid sql inject [duplicate]

Navigation

#1 by (2 votes)

1

I have 2 ways to prevent against sql inject, they are:

1st

$input = $conexao->real_escape_string($input);

2nd

$input = filter_var ($input, FILTER_SANITIZE_SPECIAL_CHARS);

Query

select * from cadastro where nome = '".$input."' LIMIT 1

What's the best way?

Does real_escape_string consume mysql or php server resource?

php mysql

asked by anonymous 09.08.2017 / 18:56

1 answer

PHP and json how to print? How do I get the results of two tables by querying one with PDO?

score 2 · Answer 1

Using PDO also helps

 $query = "SELECT* FROM cadastro WHERE nome = :nome LIMIT 1";

 $stmt = $this->connection->prepare($query);
 $stmt->bindValue(":nome", $input, PDO::PARAM_STR);

So you define what kind of variable goes for each parameter PDO::PARAM_STR