erzoolander
asked on
$_POST to $_SESSION - Escaping to prevent MySQL Injections
I want to take a $_POST value and chuck it into a $_SESSION variable so information can be temporarily retained until the next $_POST is made. The values being grabbed from the $_POST are going to be variables sent to MySQL queries.
What is the best way to approach escaping the individual keys in the $_POST without doing them one by one? Would something like mysql_escape_string($_POST ) work? Or ...?
Thanks!
What is the best way to approach escaping the individual keys in the $_POST without doing them one by one? Would something like mysql_escape_string($_POST
Thanks!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Security, including using external variables in PHP... It's a lot to take in, but it's required reading for anyone developing PHP scripts.
http://php.net/manual/en/security.php
http://php.net/manual/en/security.php
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The mysqli equivalent is http://php.net/manual/en/mysqli.real-escape-string.php
You also want to look at filter_input_array
http://php.net/manual/en/function.filter-input-array.php
In conjunction with
http://php.net/manual/en/book.filter.php
http://php.net/manual/en/filter.filters.sanitize.php
Personally I ensure at DB write time that data is clean by running real_escape_string on the data as I added it to the query.