I’m using mysqli prepared statements. Should I still sanitise the user input with some function like:
function sanitise($string){ $string = strip_tags($string); // Remove HTML $string = htmlspecialchars($string); // Convert characters $string = trim(rtrim(ltrim($string))); // Remove spaces $string = mysql_real_escape_string($string); // Prevent SQL Injection return $string; }
Thanks.
Advertisement
Answer
No! No and no. If you are already using prepared statements, MySQL needs to see the value, not some escaped version of it. If you add mysql_real_escape_string
to a string and make that the value for a prepared statement, you have just junked it, for example, quotes get doubled up!
Now, as for sanitising data-wise, that’s entirely up to the business rules as to what is or is not valid input. In your example, strip_tags is more about html->raw (format) conversion than sanitation. So is rtrim(ltrim
– this is a business transformation.