Hello. Is it enough to use this filtering option before writing to the database (change to mnemonic code)?

str_replace( array('"','\\',"'"), array(""","\","'"), $textCode)

This filtering is selected from the database when using the product filter.

  • The purpose of the manipulation is not clear, if you need to protect yourself from a SQL injection, it is better to have a prepared statement php.net/manual/en/mysqli.prepare.php . - E_p
  • Is my method safe from sql injection or ambiguous? - Sarkis Allahverdian
  • prepared statement ? 100% - E_p
  • in my opinion you can not say anything? just the whole engine is built on this filtering method, I want to know its feasibility in terms of security - Sarkis Allahverdian
  • What for? Bass has a function that filters everything at the driver level. If done through PDO, it will also support different databases. Every line that can be thrown out is good. Then, we change yours to php.net/manual/en/mysqli.real-escape-string.php and everything works the same as it was. - E_p

0