Hello there. I'm confused.
So should I use it on ALL the variables I make, or just the ones where users can input things? (not ones made by like links and stuff, I mean like login forms)
Cuz on every page I do thanks to my layout, I make a variable called $user. So I was wondering if on every page I should be escaping it. Because it's part of the layout.
mysql_real_escape_string
Moderator: General Moderators
-
Mightywayne
- Forum Contributor
- Posts: 237
- Joined: Sat Dec 09, 2006 6:46 am
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Well it is really all the string data that might have characters that might need to be escaped. For example, you do not need to escape values that you have knowingly set or converted to numbers (int, float). All input's from user comes as strings. You may also have strings, not from the user, that you want escaped as well.
It is far better to escape a value that did not need it, than to not escape a value that did.
It is far better to escape a value that did not need it, than to not escape a value that did.
(#10850)
-
Mightywayne
- Forum Contributor
- Posts: 237
- Joined: Sat Dec 09, 2006 6:46 am
- AKA Panama Jack
- Forum Regular
- Posts: 878
- Joined: Mon Nov 14, 2005 4:21 pm
You do know you really only need to use that on variables that are being inserted into a mysql query and only in the query itself and not every single variable used on a page.
Like this...
Like this...
Code: Select all
mysql_query("UPDATE yourtable SET myfield='" . mysql_real_escape_string($mydata) . "' WHERE id=$myid");- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
The other side of this is that if you want to display strings submitted by the user then you should use htmlentities() so they can't inject a script.AKA Panama Jack wrote:You do know you really only need to use that on variables that are being inserted into a mysql query and only in the query itself and not every single variable used on a page.
(#10850)
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
Likely, but its either that or have an insecure applicationYeah, but I mean that's a hell of a lot of values to be escaped (if being the safest), and besides, wouldn't that atleast cause a little more stress to the server? (I'm talking .00001 seconds here xP)