Can escaping functions (e.g. mysql_real_esacpe_string ) be moved down to the database layer where we would loop through all parameters passed for all queries and escape all strings. Would that be a good design?
Asked
Active
Viewed 208 times
3 Answers
5
In most other languages you would use "prepared statements" for this where you separate the SQL from the values.
Doesn't PHP provide the same facility?
3
PHP does provide a good emulation of prepared statements through the built-in PDO library. Use this for SQL if you can. The mysql_* functions are quick, dirty and legacy.
Ben XO
- 301
0
It would not be good design.
Use one of the common escaping libraries to escape the parameters.
Rolling out your own is error prone, especially in the database (where it might be subverted by a cleverly written parameter).
Additionally, SQL is fairly poor at string manipulation, so also a bad choice on this point.
Oded
- 53,734