0

I have many functions like

updateUser($id,$username,$email) updateMusic($id, $music)

etc...

Is there a generic function to avoid SQL injections ?

I just want to avoid using mysql_real_escape_string for each parameter I have

$username = mysql_real_escape_string($username); $email= mysql_real_escape_string($email); $music= mysql_real_escape_string($music);
Improve this question
3
  • You could just put them in your function, instead of having to pass them into the params each time. Commented Aug 18, 2011 at 8:37
  • yes there is a generic function - mysql_real_escape_string() Commented Aug 18, 2011 at 9:19
  • 1
    This question is similar to: How can I prevent SQL injection in PHP?. If you believe it’s different, please edit the question, make it clear how it’s different and/or how the answers on that question are not helpful for your problem. Commented Jan 28 at 7:59

4 Answers 4

Reset to default
3

  • ALWAYS use prepared statements

  • Do NOT use mysql driver, use mysqli or PDO

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

You should use parameterization and let the database driver handle it for you, i.e. with PDO:

$dbh = new PDO('mysql:dbname=testdb;host=127.0.0.1', $user, $password); $stmt = $dbh->prepare('INSERT INTO REGISTRY (name, value) VALUES (:name, :value)'); $stmt->bindParam(':name', $name); $stmt->bindParam(':value', $value); // insert one row $name = 'one'; $value = 1; $stmt->execute();

Code from Bobby-Tables.

Improve this answer

Comments

1

you may use, 

list($id,$music) = array_map('mysql_real_escape_string',array($id,$music))

but prepared statements rocks

Improve this answer

Comments

0

No there isn't, but you can parse all your inputs ( eg. GET and POST ) at beggining of the script

Improve this answer

1 Comment

"Parse" is too vague to be useful IMO.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.