Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    Regular Coder
    Join Date
    Sep 2010
    Posts
    331
    Thanks
    9
    Thanked 6 Times in 6 Posts

    Best way to sanitize/escape PDO data?

    As I work on another project, I encountered a MySQL error that I'd assumed has to do with the use of an unescaped single quote. Should I use addslashes(), sanitize filters, or some other option? What would be the best way?
    Last edited by elitis; 01-14-2013 at 10:23 PM.
    Coding is a challenge, get used to it
    Always remember to debug
    Try the guess & check method
    Break it down into simple steps

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    No, you never use addslashes. Always use stripslashes if magic_quotes are enabled though.
    PHP Code:
    if (get_magic_quotes_gpc())
    {
        
    $data stripslashes($data);

    As for escaping in PDO, you don't. Since its abstract, there is really no way to develop a function directly for it. You can always write something of your own though, but then you'd need to write it for each of the db's supported by PDO's drivers.
    Not that it matters though, you should be using the prepared statements anyway which don't need (and should not be) to be escaped.

    Edit:
    Oh I lied there is a method in PDO: http://www.php.ca/manual/en/pdo.quote.php
    Never tried it though, but I assume it would do the job. Bind > escape any day.

  • #3
    Regular Coder
    Join Date
    Sep 2010
    Posts
    331
    Thanks
    9
    Thanked 6 Times in 6 Posts
    Huh, what's up with this error then: (Only occurs when inserting quotes, and I'd assume other special characters)
    Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/font>t <br></i></font></li><li><font color="bronze"><i>even <br></i></font></li' at line 1' in /home/www/example.com/rtf.php:16 Stack trace: #0 /home/www/example.com/index.php(16): PDOStatement->execute() #1 {main} thrown in /home/www/example.com/index.php on line 16

    PHP Code:
    if (isset($_POST['post'])) {
        if (
    function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
            {
            
    $_POST['post'] = stripslashes($_POST['post']);
            }
        
    $author $_POST['author'];
        
    $post $_POST['post'];
        
    $con = new PDO(DB_DSNDB_USERNAMEDB_PASSWORD);
        
    //set how pdo will handle errors
        
    $con->setAttribute(PDO::ATTR_ERRMODEPDO::ERRMODE_EXCEPTION);
        
    $postSQL "INSERT INTO `posts` (`author`, `post`, `date`) VALUES ('$author', '$post', NOW())";
        
    $postQ $con->prepare($postSQL);
        
    $postQ->execute();
        } 
    Edit: Never mind. Just realized after reading your post I didn't bind them.
    Last edited by elitis; 01-14-2013 at 10:22 PM.
    Coding is a challenge, get used to it
    Always remember to debug
    Try the guess & check method
    Break it down into simple steps


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •