I'm using mySqli and I'm trying to develop the ultimate sanitizing function before append/update the database.
I was wondering if that super simple function can do the job for me.
function sanitize($me) {
return mysql_real_escape_string($me);
}
Is internal PHP command like date and time (for example sanitize(date("F j, Y, g:i a")); should also be sanitized ?
if that super simple function can do the job for me.
No. Just because underlying function has absolutely nothing to do with sanitization, even from the proper extension.
Is internal PHP command output should also be sanitized ?
Yes. Because your db-related logic should be ignorant of the data source. All it should know that this data is coming into query and thus have to be properly formatted.
Prepared statements is the only way to reach the goal. So, you have to get rid of this function and start learning prepared statements
Everything should be sanitized, no matter if it is user input, result from function call or even hard-coded data. One day you will decide to make the date format dynamic, allowing user to set the format string, and you'll forget to sanitize it; the user will add quotes to the format and your SQL will be broken.
mysql_real_escape_string do not belong to the mysqli extension, use the correct function. Even better, use PDO and you don't need a function, only param binding.
