Page 1 of 1

how to protect update table set column $_POST data

Posted: Mon Jan 09, 2012 2:05 am
by unexperion
Hi, i have a question about mysql_real_escape

in a regular query i would use (for example)

Code: Select all

$query = "SELECT * FROM table WHERE id = '" . mysql_real_escape_string($id) . "' ";
but what am I to use in a situation like this?

Code: Select all

mysql_query("UPDATE table SET column = '" . $_POST['article'] ."' ");
Can I use m_r_e_s somehow there, or should I use something else, and what?

Re: how to protect update table set column $_POST data

Posted: Mon Jan 09, 2012 3:14 am
by twinedev
Use can use it just like in the first example. It is merely a function that escapes out certain characters in the string passed to it.
It doesn't care if it is a regular variable, from an array, or an actual string, just that the value is a string or can be interpreted as one (ie, an integer)
Also it doesn't care what the actual query is, SELECT, INSERT, UPDATE, etc. Again it is just processing the string and returns another string.
The only requirement is that a mysql connection has already been made and you pass it some value that is (or can be used as) a string.

-Greg