Just thought I'd mention, you're giving bad advice on how to solve SQL

  • Profile Image
    hammersoftware
    Asked on October 10, 2019 at 06:48 AM

    Just thought I'd mention, you're giving bad advice on how to solve SQL injection. Adding slashes is not going to work properly if the person is not using MySQL, which is why the php documentation for addslashes() specifically states that is bad advice and suggests that you use a database-specific method to solve it.

    Instead a proper suggestion to tell the person wanting to save your data is to use prepared statements:

    https://stackoverflow.com/questions/8263371/how-can-prepared-statements-protect-from-sql-injection-attacks/8265319

    If you're using PHP, this can be accomplished via PDO or PEAR, or for MySQL specifically, you can use mysqli.

    Using backslashes in SQL code can introduce a whole host of other problems.

    From the same stackoverflow article:

    For example, there(1) are(2) still(3) many(4) answers(5), including the second most upvoted answer suggesting you manual string escaping - an outdated approach that is proven to be insecure.



    This is a re-post of a comment on How to send Submissions to Your MySQL Database Using PHP

  • Profile Image
    Richie_P
    Answered on October 10, 2019 at 07:58 AM

    Its true that Addslashes() is not good enough when dealing with multibyte encoded strings. However, it still does prevent SQL injections.

    Prepared statements is indeed a good practice to use when updating/saving database.

    Thank you for your advice and we will take note on this.