do I need real_escape_string for parametrized queries ?

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: egami, macek, gesf

Post Reply
New php-forum User
New php-forum User
Posts: 7
Joined: Sat Jan 14, 2012 1:36 pm

Sat Oct 12, 2013 11:21 am

Do I need real_escape_string for parametrized queries ?
... or even more?
Well, I am maintaining a simple cms where i actually take care of user input - such as comments.
The latter is stripped off from any harmful stuff (at least I hope so).
But the administrators and moderators are able to publish articles full of html code so it's a bit tricky to avoid errors that come from copy/paste with hidden $bad_stuff

Even users may publish comments on coding with php code and/or html code.
So I need some advice how to do it properly.

i am an experienced programmer but my roots are not within PHP/mySQL so I tried several stuff to sanitize input, but more or less all the time the content is messed up after several steps of editing.

Actually my code looks like [simplified]:
insert into articles (bodytext,keywords,teaser,title)Values(?,?,?,?)
then bind_param() is used to insert the values

and of course the respective update statements.

So the question is: do I have to do some sanitization of the parameters in question?

And yes, I know about the flaws and issues on having something like "<script >...</script> inside an article. i'll take care about that.
I mean: DO I REALLY need to take care about the input if I trust the moderators?
Please direct me on any articles related to this problem if you know something worth reading.
php-forum GURU
php-forum GURU
Posts: 1803
Joined: Thu Mar 10, 2011 5:07 pm

Thu Oct 17, 2013 10:09 pm

All input are evil, you should not trust any input.

You cannot EXPECT somebody else to do the sanitation, validation, error checking etc for you. You need to do all these on your side.
Post Reply