i'm using this in every $_get or $_post before acces or insert to my Database..
i'm sure it's not eno开发者_开发问答ugh.. but how safe is it? can i combine it with some expresion to make it safer?
thanks a lot!
so how about this? mysql_real_escape_string(htmlspecialchars( $value ));
No, that is not enough. You should use mysql_real_escape_string
to prevent sql injection attacks.
mysql_escape_string($value) is a bit smarter when sanitizing strings that will be used in an SQL query.
You should use mysql_real_escape_string() to protect your database from injection attacks (or better yet, prepared statements with something like the PDO library) and htmlspecialchars() when you're displaying data pulled from a database.
精彩评论