Sanitary text input before sending to MySQL database
I am currently working to ensure that the text that has been submitted to the database for the web application I am working on is carefully cleaned up before being sent to the database, and then retrieved and displayed correctly.
Ignoring the mess of sanitizing functions currently in use (it's currently a mess and ripping apart), this is what I plan on doing:
-
Use CKEditor to enter text. It will automatically convert HTML tags / characters to its HTML entities.
-
Use prepared PDO statements to submit text to the database.
Is this sufficient to properly disinfect the bushing? I've read about this and many people say they use magic quotes, however I read that magic quotes are old and most do not recommend using it.
Thank you in advance for your help!
source to share
Well, PDO is fine with just basic examples from the beginner's guide.
Whatever tricky problem gets PDO into trouble, as well as any other API.
But as long as you're willing to spend your time writing huge inserts, iterating over each variable six to ten times, following all of these answers here - PDO is fine.
But just so you know, there is no ready-made statement for identifiers.
As far as CKEditor is concerned - is it not a client application? If so, it will not protect anything.
Therefore, it is better to follow the guidelines from another answer - pass unreliable user input through htmlspecialchars () when displaying it on an HTML page
source to share
Don't use magic quotes. http://php.net/manual/en/security.magicquotes.php
This function has been DEPRECATED since PHP 5.3.0 and removed since PHP 5.4.0.
If you are using prepared statements, you should be safe from SQL injection. Don't forget to run user input through htmlspecialchars()
when displaying it on the interface.
source to share