StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<p>You should just not forget escaping your data when injecting them in some SQL queries.</p> <p>Either use a function to <strong>escape the data</strong> : <br>Depending on the API you're working with : </p> <ul> <li><a href="http://fr2.php.net/mysql_real_escape_string" rel="nofollow"><code>mysql_real_escape_string</code></a>, </li> <li><a href="http://fr.php.net/mysqli_real_escape_string" rel="nofollow"><code>mysqli_real_escape_string</code></a>, </li> <li>or <a href="http://fr.php.net/manual/en/pdo.quote.php" rel="nofollow"><code>PDO::quote</code></a></li> </ul> <p>Or you could use <strong>Prepared Statements</strong> : <br><em>Those might seem a bit harder to understand, at first -- but they are worth investing sometime...</em></p> <ul> <li>With <a href="http://fr.php.net/manual/en/mysqli.prepare.php" rel="nofollow">mysqli</a>, </li> <li>And with <a href="http://fr.php.net/manual/en/pdo.prepare.php" rel="nofollow">PDO</a>.</li> </ul> <p><br> Then, of course, when using the data from the database to generate some output, the same idea applies : escape the output.</p> <p>If you are generating some HTML output, you'll typically want to use something like <a href="http://fr.php.net/htmlspecialchars" rel="nofollow"><code>htmlspecialchars</code></a>. <br>Or, to allow some specific HTML tags, see <a href="http://htmlpurifier.org/" rel="nofollow">HTML Purifier</a>.</p> <p>If you are generating some other kind of output, you'll have to find how to escape your data specifically for this type of output.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload