re: SQL Injection Best Solution VIEW POST


@macnux mysql_real_escape_string is really bad and it's not full proof.

The only and best way to set up PHP to not have SQL injections is to use bind parameters (or well, use a simple Abstraction layer )

Using mysql_real_escape_string as the article said is used when you only have MySQL extension or MySQLi.
But if you have PDO, you can use bind parameters.

Right, but you should get rid of mysql queries as soon as possible.
Also mysqli supports bind params as well

For large projects, the bind parameter requires you to go to every file on your project and change the code to make it use bind_parameter, but this way all you need to do is to change your header file once for all of the project files and all of your code are secured from SQLi.

The header file is the mail file which his included on all of your code files.
like head.php or up.php in some CMSes.
This header file runs on every request to your website.
I hope you got it.

Ok. You mean like a global config. I thought you meant like the classic beginner style "header.php" that contains all of the config code and database connection and html of the website layout html > head > body > header id=header

code of conduct - report abuse