On Tue, May 27, 2014 at 7:35 AM, Brian J. Rogers <captbrog...@gmail.com> wrote: > The mysql_* functions are being deprecated. So the recommendation is to use > PDO. PDO's prepared statements will help sanitize your input, because even > on an update/insert, a malicious user can still wreck havoc. > > Here is a slightly older article on it: > https://code.tutsplus.com/tutorials/why-you-should-be-using-phps-pdo-for-database-access--net-12059
This appears to me to be the correct advice. In general, you should not think about "sanitizing strings"; thinking this way means you're misunderstanding the actual problem. There's no one true method of "sanitizing strings" because the way strings are interpreted varies based on their destination rather than their source. What the PDO thing is doing is pushing the job of dealing with the translation of "strings" to "SQL query data" to code that understands how SQL interprets things. This code can correctly perform any escaping necessary, because it understands the destination domain. You should not think of SQL queries as "strings"; you should think of them as data objects that happen to have a string-like representation. It's a type error (in theory, even if not actually enforced by your language) to use a string as part of a query. You should also not think of HTML as "strings"; they're data objects that also happen to have a string-like representation. So user input should pass through a process similar to PDO-parameterization in order to build HTML objects from strings. Even if the HTML is ultimated *represented* in your language as a string! Well-designed web frameworks, regardless of language, will provide "string-to-X" builder functions like PDOs for all string-like data such as programmatically-constructed SQL queries, HTML, or javascript. Furthermore, they'll do type checking (whether static or dynamic) to ensure that it's an error to pass a normal string directly to something that expects an SQL query, HTML, or Javascript. I would imagine that such things exist for PHP, though I've never really looked into it myself. --Levi /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */