On Thu, Jul 21, 2016 at 9:50 PM, Aziz Saleh <azizsaleh@xxxxxxxxx> wrote: > Prepared statements have nothing to do with htmlentities (probably since > its an old code it was doing it wrong, should have been using > mysql_real_escape_string). > > That is NOT true. To rely on mysql_real_escape_string still leaves an open window to attack: http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string A simple regex (or so) to only allow approved characters would be better practice.
