Using php filter_var with mysql_real_escape_string

Question

I would like to start my question by saying, I realize PDO/mysqli is the new standard and has been widely covered on SO. However in this particular case I dont have time to conv

Answer 1

Sanitising a string serves to make it conform to certain expectations. FILTER_SANITIZE_EMAIL removes any characters from a string which would be invalid in an email. The result is (supposedly) guaranteed to conform to email address syntax. How useful randomly removing characters from a string is I'll leave up to you. (Hint: I don't think it's very useful at all; you should rather reject invalid addresses than to transform them into random results. I give you an invalid email address, you hammer it into some shape that resembles an email address, now how do you know you'll be able to send me an email...?!)

mysql_real_escape_string is there to ensure that an arbitrary string does not violate SQL's string literal syntax by escaping all escape-worthy characters. Assuming you're using it correctly (lots of pitfalls mysql has, which is why it's deprecated...), there's nothing you can do to its input that would make it fail. You give it any arbitrary string, it returns you the escaped version, period.

As such, in general, yes, what you're doing is fine. If mysql_real_escape_string is the last thing you do to your string before interpolating it into an SQL string literal, then it's fine.