Debunking the mysql_real_escape_string myth
Are you sure that mysql_real_escape_string is enough to sanitize your input? (Spoiler: it’s not) From PHP Manual: string mysqli_real_escape_string ( mysqli $link , string $escapestr ) link Procedural style only: A link identifier returned by mysqli_connect() or mysqli_init() escapestr The string to be escaped. Characters encoded are NUL (0x00), \n, \r, \, ’, ", and SUB (Ctrl-Z or 0x1A) Despite what many believe, mysql_real_escape_string does not encode all MySQL special characters; it only encodes characters that may terminate a string....