how to protect update table set column $_POST data

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
unexperion
Forum Newbie
Posts: 16
Joined: Mon Nov 14, 2011 6:38 pm

how to protect update table set column $_POST data

Post by unexperion »

Hi, i have a question about mysql_real_escape

in a regular query i would use (for example)

Code: Select all

$query = "SELECT * FROM table WHERE id = '" . mysql_real_escape_string($id) . "' ";
but what am I to use in a situation like this?

Code: Select all

mysql_query("UPDATE table SET column = '" . $_POST['article'] ."' ");
Can I use m_r_e_s somehow there, or should I use something else, and what?
User avatar
twinedev
Forum Regular
Posts: 984
Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio

Re: how to protect update table set column $_POST data

Post by twinedev »

Use can use it just like in the first example. It is merely a function that escapes out certain characters in the string passed to it.
It doesn't care if it is a regular variable, from an array, or an actual string, just that the value is a string or can be interpreted as one (ie, an integer)
Also it doesn't care what the actual query is, SELECT, INSERT, UPDATE, etc. Again it is just processing the string and returns another string.
The only requirement is that a mysql connection has already been made and you pass it some value that is (or can be used as) a string.

-Greg
Post Reply