Is this a good way to prevent SQL injection before running a database query?
$name = mysql_real_escape_string(stripslashes($name));
$age = mysql_real_escape_string(stripslashes($age));
$location = mysql_real_escape_string(stripslashes($location));
Thanks in advance!
See Question&Answers more detail:os
This answers it well:
So what can you do? The solution is to use prepared statements, which are supported by nearly all PHP database extensions with the notable exceptions of MySQL (ext/mysql) and SQLite2 (ext/sqlite). So, to be on the safe side, I'd recommend using the PDO interface to talks with those databases or in the case of MySQL using the newer MySQLi (ext/mysqli) extension. Those interfaces provide prepared statement support, which allows for separation between query structure and the query parameters.
So to be on safer side, don't rely on mysql_real_escape_string alone, using prepared statements is much better.
