Page 1 of 1

why .mysql_escape_string($_COOKIE['USERNAME']). ?

Posted: Wed May 31, 2006 4:19 pm
by Milan
in one of my previous posts you guys helped me to update the table, but one of you used

Code: Select all

.mysql_escape_string($_COOKIE['USERNAME']).


why is that better than if i used a plain $_COOKIE['USERNAME'] ?


full line is

Code: Select all

$query = "UPDATE `users` set `password` = $newp where `username` = '".mysql_escape_string($_COOKIE['username'])."'";

Posted: Wed May 31, 2006 4:33 pm
by jonra
It's a security risk to not use it. Without proper data cleaning, or even with just using 'addslashes' it is easy for a hacker to use injection to dig into the site structure. If you're using magic_quotes, you dont' need to use this - but you should probably use .htaccess to turn magic quotes off - or write code that checks for it being on or off.

Posted: Wed May 31, 2006 4:37 pm
by Christopher
And now you are supposed to use mysql_real_escape_string() instead (see the docs).

Posted: Wed May 31, 2006 4:37 pm
by Milan
once again fast and precise answer :)

you people are priceless