How can I sanitize user input for a search query and still keep there data as is for example if a user enters & it wont be converted to & and if a user enters & it wont be converted to &?
Add a comment
|
3 Answers
* use `mysql_real_escape_string()`
* Use `strip_tags()` to filter out unwanted HTML
* Escape all other output with `htmlspecialchars()`
answered Dec 31, 2010 at 5:40
Bhanu Prakash Pandey
3,7851 gold badge26 silver badges16 bronze badges
Comments
If you are querying a MySQL database, I would recommend the mysql_real_escape_string() function. I don't think you should have too much of a problem. You can always convert characters back, but you want to ensure that you sanitize for the database when you query it.
2 Comments
HELP
can you give me an example of converting and deconverting?
dqhendricks
you will want to use mysql_real_escape_string() to sanitize a string for a mysql query. you will not have to desanitize it after you grab it from the database. you will also want to cast any numbers before you put it into a query - (int)$variable or (float)$variable. you will want to strip_tags() and variables that you print out onto your web page.
<?php
$user = $_POST['username'];
$pwd = $_POST['password'];
// escape username and password for use in SQL
$user = mysql_real_escape_string($user);
$pwd = mysql_real_escape_string($pwd);
$sql = "SELECT * FROM users WHERE
user='" . $user . "' AND password='" . $pwd . "'"
// more code
mysql_close($con);
?>
