php - Avoiding SQL injection using mysql_real_escape_string and stripslashes

Question

Is this a good way to prevent SQL injection before running a database query?

$name = mysql_real_escape_string(stripslashes($name));
$age = mysql_real_escape_string(stripslashes($age));
$location = mysql_real_escape_string(stripslashes($location));

Thanks in advance!

Answer 1

This answers it well:

• mysql_real_escape_string() versus Prepared Statements by Ilia Alshanetsky

So what can you do? The solution is to use prepared statements, which are supported by nearly all PHP database extensions with the notable exceptions of MySQL (ext/mysql) and SQLite2 (ext/sqlite). So, to be on the safe side, I'd recommend using the PDO interface to talks with those databases or in the case of MySQL using the newer MySQLi (ext/mysqli) extension. Those interfaces provide prepared statement support, which allows for separation between query structure and the query parameters.

So to be on safer side, don't rely on mysql_real_escape_string alone, using prepared statements is much better.