Best way to escape strings for sql inserts?
-
08-07-2019 - |
Question
What is the best way to escape strings for sql inserts, updates?
I want to allow special characters including ' and ". Is the best way to search and replace each string before I use it in an insert statement?
Thanks
Duplicate of: Best way to defend against mysql injection and cross site scripting
Solution
You should be using parameterized queries (so by extension, a DB interface library that supports parameterized queries) so that SQL injection can't happen.
OTHER TIPS
If you're talking about data values for your fields, then the best way is to use mysql_real_escape_string(). (Some people like mysqli; can't say I do.) If you're talking about allowing user-submitted queries... well, let's hope you're not talking about that.