Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Using php filter_var with mysql_real_escape_string

Tags:

php

mysql

I would like to start my question by saying, I realize PDO/mysqli is the new standard and has been widely covered on SO. However in this particular case I dont have time to convert all queries to PDO before launching the clients site.

The following has been used throughout most of the queries on the site (not by me may I add)

  $userEmail = filter_var($_POST['fEmail'], FILTER_SANITIZE_EMAIL);
   $userEmail = mysql_real_escape_string($userEmail);
   $sql ="SELECT email FROM members WHERE email = '$userEmail'";
   :
   :

I would like to know:

Is it good / okay practise to use filter_var and mysql_real_escape_string together as in the example above? My main concern is, can these two functions be used together or cause some sort of conflict / bug when executing / uploading to DB?

Also is there any sort of benefit in using both?

Thanks in advance

like image 797
Timothy Coetzee Avatar asked Sep 03 '15 14:09

Timothy Coetzee

2 Answers

Sanitising a string serves to make it conform to certain expectations. FILTER_SANITIZE_EMAIL removes any characters from a string which would be invalid in an email. The result is (supposedly) guaranteed to conform to email address syntax. How useful randomly removing characters from a string is I'll leave up to you. (Hint: I don't think it's very useful at all; you should rather reject invalid addresses than to transform them into random results. I give you an invalid email address, you hammer it into some shape that resembles an email address, now how do you know you'll be able to send me an email...?!)

mysql_real_escape_string is there to ensure that an arbitrary string does not violate SQL's string literal syntax by escaping all escape-worthy characters. Assuming you're using it correctly (lots of pitfalls mysql has, which is why it's deprecated...), there's nothing you can do to its input that would make it fail. You give it any arbitrary string, it returns you the escaped version, period.

As such, in general, yes, what you're doing is fine. If mysql_real_escape_string is the last thing you do to your string before interpolating it into an SQL string literal, then it's fine.

like image 65
deceze Avatar answered Oct 18 '22 05:10

deceze

In this case, if the filter fails the query will be:

SELECT email FROM members WHERE email = '0'

So, not much to worry about the query; it just won't return any results.

Unless of course, you have a similar insert / update query.

In which case, you could have plenty of rows in the database where the email is '0'

like image 3
andrew Avatar answered Oct 18 '22 07:10

andrew
Sign in to Comment

Related questions

.htaccess password protect directory but allow image file types
php://input - what does it do in fopen()?
Is there a way test STDERR output in PHPUnit?
most simple way to start a new process/thread in PHP
anonymous function performance in PHP [closed]
Echoing content sometimes takes a very long time
Command-line script PHP does not run
Any way to check anonymous functions?
MySQL the right syntax to use near '' at line 1 error
Which hashing algorithm provides the longest output?
Weaknesses and forces of Doctrine 2 and Propel 1.6 [closed]
Creating a search form in PHP to search a database? [duplicate]
Putting PHP code in a string
How do I ignore certain files while debugging in PHPStorm?
SQLSTATE[HY093]: Invalid parameter number: no parameters were bound, but parameters are provided
What is causing PDO error Cannot execute queries while other unbuffered queries are active?
Jenkins REST interface - Timestamp Format
View a PHP Closure's Source
Easiest way to get list of files in the server directory
Intervention Image Laravel 5.1

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!