When writing GET parameters in MySQL, do I need to escape some characters to prevent arbitrary code from executing?

P

PO6OT2015-04-10 17:03:18

PHP

PO6OT, 2015-04-10 17:03:18

When writing the desired parameters from the $_GET and $_POST arrays (that is, any value) to MySQL tables, do I need to use some kind of escaping functions, such as mysql_escape_string or addslashes, to prevent arbitrary code from executing?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

O

OnYourLips, 2015-04-10
@woonem

do I need to use some kind of escaping functions like mysql_escape_string or addslashes to prevent arbitrary code from executing?

No, this is outdated and already incorrect information. Just give your parameters when substituting values in a prepared statement, and everything will be safe.

F

FanatPHP, 2015-04-10
@FanatPHP

from $_GET and $_POST arrays (i.e. any value)

Actually, there are other arrays besides $_GET and $_POST. and not arrays. $_GET and $_POST do not pull on the source of "any" value, it is not clear why these two are so honored.
and this is complete nonsense. I'll give a dozen offhand examples where "escaping functions" won't prevent anything at all. And all why? Because the purpose of these functions is completely different, it has nothing to do with code execution protection.
To protect against code execution, any variables must enter the request through a placeholder.