mysql_real_escape_string

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Mightywayne
Forum Contributor
Posts: 237
Joined: Sat Dec 09, 2006 6:46 am

mysql_real_escape_string

Post by Mightywayne »

Hello there. I'm confused.

So should I use it on ALL the variables I make, or just the ones where users can input things? (not ones made by like links and stuff, I mean like login forms)

Cuz on every page I do thanks to my layout, I make a variable called $user. So I was wondering if on every page I should be escaping it. Because it's part of the layout.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

Well it is really all the string data that might have characters that might need to be escaped. For example, you do not need to escape values that you have knowingly set or converted to numbers (int, float). All input's from user comes as strings. You may also have strings, not from the user, that you want escaped as well.

It is far better to escape a value that did not need it, than to not escape a value that did.
(#10850)
Mightywayne
Forum Contributor
Posts: 237
Joined: Sat Dec 09, 2006 6:46 am

Post by Mightywayne »

Yeah, but I mean that's a hell of a lot of values to be escaped (if being the safest), and besides, wouldn't that atleast cause a little more stress to the server? (I'm talking .00001 seconds here xP)
User avatar
AKA Panama Jack
Forum Regular
Posts: 878
Joined: Mon Nov 14, 2005 4:21 pm

Post by AKA Panama Jack »

You do know you really only need to use that on variables that are being inserted into a mysql query and only in the query itself and not every single variable used on a page.

Like this...

Code: Select all

mysql_query("UPDATE yourtable SET myfield='" .  mysql_real_escape_string($mydata) . "' WHERE id=$myid");
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

AKA Panama Jack wrote:You do know you really only need to use that on variables that are being inserted into a mysql query and only in the query itself and not every single variable used on a page.
The other side of this is that if you want to display strings submitted by the user then you should use htmlentities() so they can't inject a script.
(#10850)
Mightywayne
Forum Contributor
Posts: 237
Joined: Sat Dec 09, 2006 6:46 am

Post by Mightywayne »

Thanks, guys. :D
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Yeah, but I mean that's a hell of a lot of values to be escaped (if being the safest), and besides, wouldn't that atleast cause a little more stress to the server? (I'm talking .00001 seconds here xP)
Likely, but its either that or have an insecure application ;). You might also look into using Prepared Statements which simplify escaping quite a bit since you won't then have to constantly use mysql_real_escape_string().
Post Reply