1

I have many functions like

updateUser($id,$username,$email)
updateMusic($id, $music)

etc...

Is there a generic function to avoid SQL injections ?

I just want to avoid using mysql_real_escape_string for each parameter I have

$username = mysql_real_escape_string($username);
$email= mysql_real_escape_string($email);
$music= mysql_real_escape_string($music);
Improve this question
2
  • You could just put them in your function, instead of having to pass them into the params each time.
    – Prisoner
    Commented Aug 18, 2011 at 8:37
  • yes there is a generic function - mysql_real_escape_string()
    – symcbean
    Commented Aug 18, 2011 at 9:19

4 Answers 4

Reset to default
3

  • ALWAYS use prepared statements

  • Do NOT use mysql driver, use mysqli or PDO

Improve this answer
0
2

You should use parameterization and let the database driver handle it for you, i.e. with PDO:

$dbh = new PDO('mysql:dbname=testdb;host=127.0.0.1', $user, $password); 
$stmt = $dbh->prepare('INSERT INTO REGISTRY (name, value) VALUES (:name, :value)');
$stmt->bindParam(':name', $name); 
$stmt->bindParam(':value', $value); 

// insert one row 
$name = 'one'; 
$value = 1; 
$stmt->execute();

Code from Bobby-Tables.

Improve this answer
1

you may use, 

list($id,$music) = array_map('mysql_real_escape_string',array($id,$music))

but prepared statements rocks

Improve this answer
0

No there isn't, but you can parse all your inputs ( eg. GET and POST ) at beggining of the script

Improve this answer
1

Not the answer you're looking for? Browse other questions tagged or ask your own question.