SQL Injection Prevention: Is mysql_real_escape_string () really all I need?
Possible Duplicate:
Best Way to Stop SQL Injection in PHP
It seems too good to me to be true to me that this simple function does everything I need. However, most of my Google searches come up with results that basically say "just use this feature and you'll be fine!"
I've seen a couple that briefly or too high a level for my own novice mind to understand, talk about parameterized SQL statements. Are they necessary, and if so, can someone point me to a good link?
+2
source to share
3 answers
Look at this question, great accepted answer: Do htmlspecialchars and mysql_real_escape_string provide PHP code from under injection?
0
source to share
Alternative point of view: http://littlebobbytables.com/
Edit: wow, this is a completely wrong site: try this one: http://bobby-tables.com/
+1
source to share