Skip to content

should i still sanitise input with mysqli?

php

I’m using mysqli prepared statements. Should I still sanitise the user input with some function like:

function sanitise($string){
  $string = strip_tags($string); // Remove HTML
  $string = htmlspecialchars($string); // Convert characters
  $string = trim(rtrim(ltrim($string))); // Remove spaces
  $string = mysql_real_escape_string($string); // Prevent SQL Injection
  return $string;
}

Thanks.

Advertisement

Answer

No! No and no. If you are already using prepared statements, MySQL needs to see the value, not some escaped version of it. If you add mysql_real_escape_string to a string and make that the value for a prepared statement, you have just junked it, for example, quotes get doubled up!

Now, as for sanitising data-wise, that’s entirely up to the business rules as to what is or is not valid input. In your example, strip_tags is more about html->raw (format) conversion than sanitation. So is rtrim(ltrim – this is a business transformation.

User contributions licensed under: CC BY-SA
1 People found this is helpful