LinuxQuestions.org - filtering MYSQL database input in PHP does not work

- Programming (https://www.linuxquestions.org/questions/programming-9/)

- - filtering MYSQL database input in PHP does not work (https://www.linuxquestions.org/questions/programming-9/filtering-mysql-database-input-in-php-does-not-work-883509/)

filtering MYSQL database input in PHP does not work

I am trying to make a PHP form where the user inputs a text string, and then it is stored in MYSQL db

1.php

Code:

<form action="2.php" method="post">

Your name: <input type="text" name="txt_name" />

<input type="submit" />

</form>

2.php

Code:

<?php echo filter_var ($_POST["txt_name"], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH) ; ?>

In 2.php instead of the echo i want to send it to the db

Both web pages are UTF 8. I want the db to accept any foreign language characters too, as long as they are database-safe

With FILTER_FLAG_STRIP_HIGH , foreign language characters are removed but injection attempts are not :

input

Code:

≠≠");DROP SCHEMA

output

Code:

");DROP SCHEMA

With FILTER_FLAG_STRIP_LOW , no filtering happens at all :

output

Code:

≠≠");DROP SCHEMA

How to do it right ?

Hi

You could use FILTER_SANITIZE_MAGIC_QUOTES instead, which just does the same as addslashes. It is safe as long as long as the encoding of the database connection is UTF-8, but not always with other encodings. The only 100% safe method is to either use mysqli with prepared statements, or use mysqli_real_escape_string because the escaping needs to know which encoding it is dealing with.