This is my first time dealing with PHP / MySQL and i am trying to do it right and avoid any future security headaches.
I have created a script to search a database for part numbers and return the results - now im trying to secure it. I want to know the best practises. So far i have:
$sanitized_part_search = mysql_real_escape_string($part_search);
$query = mysql_query("SELECT * FROM `stock_search` WHERE `part_number` LIKE '%$sanitized_part_search%'") or die(mysql_error());
But im having issues with mysql_real_escape_string not seeming to do anything. I think its due to the mysql_real_escape_string being set to On by my host? But i dont want to be relying on magic_quotes becuase its depreciated? What about MySQLi? Prepared statements? sprintf? PDO?
Basically, i would love a current, secure, best practises template. Im getting confused with add/stripslashes and mysql_real_escape_string and can see myself making some really stupid mistakes.
Question
Bollard
Hello all,
This is my first time dealing with PHP / MySQL and i am trying to do it right and avoid any future security headaches.
I have created a script to search a database for part numbers and return the results - now im trying to secure it. I want to know the best practises. So far i have:
and
$sanitized_part_search = mysql_real_escape_string($part_search); $query = mysql_query("SELECT * FROM `stock_search` WHERE `part_number` LIKE '%$sanitized_part_search%'") or die(mysql_error());But im having issues with mysql_real_escape_string not seeming to do anything. I think its due to the mysql_real_escape_string being set to On by my host? But i dont want to be relying on magic_quotes becuase its depreciated? What about MySQLi? Prepared statements? sprintf? PDO?
Basically, i would love a current, secure, best practises template. Im getting confused with add/stripslashes and mysql_real_escape_string and can see myself making some really stupid mistakes.
Thanks for any help
Link to comment
Share on other sites
2 answers to this question
Recommended Posts