Page 1 of 1
mysql_real_escape_string
Posted: Wed Feb 14, 2007 6:21 pm
by Mightywayne
Hello there. I'm confused.
So should I use it on ALL the variables I make, or just the ones where users can input things? (not ones made by like links and stuff, I mean like login forms)
Cuz on every page I do thanks to my layout, I make a variable called $user. So I was wondering if on every page I should be escaping it. Because it's part of the layout.
Posted: Wed Feb 14, 2007 6:33 pm
by Christopher
Well it is really all the string data that might have characters that might need to be escaped. For example, you do not need to escape values that you have knowingly set or converted to numbers (int, float). All input's from user comes as strings. You may also have strings, not from the user, that you want escaped as well.
It is far better to escape a value that did not need it, than to not escape a value that did.
Posted: Wed Feb 14, 2007 6:49 pm
by Mightywayne
Yeah, but I mean that's a hell of a lot of values to be escaped (if being the safest), and besides, wouldn't that atleast cause a little more stress to the server? (I'm talking .00001 seconds here xP)
Posted: Wed Feb 14, 2007 6:58 pm
by AKA Panama Jack
You do know you really only need to use that on variables that are being inserted into a mysql query and only in the query itself and not every single variable used on a page.
Like this...
Code: Select all
mysql_query("UPDATE yourtable SET myfield='" . mysql_real_escape_string($mydata) . "' WHERE id=$myid");
Posted: Wed Feb 14, 2007 7:05 pm
by Christopher
AKA Panama Jack wrote:You do know you really only need to use that on variables that are being inserted into a mysql query and only in the query itself and not every single variable used on a page.
The other side of this is that if you want to display strings submitted by the user then you should use htmlentities() so they can't inject a script.
Posted: Wed Feb 14, 2007 7:11 pm
by Mightywayne
Thanks, guys.

Posted: Thu Feb 15, 2007 4:11 am
by Maugrim_The_Reaper
Yeah, but I mean that's a hell of a lot of values to be escaped (if being the safest), and besides, wouldn't that atleast cause a little more stress to the server? (I'm talking .00001 seconds here xP)
Likely, but its either that or have an insecure application

. You might also look into using Prepared Statements which simplify escaping quite a bit since you won't then have to constantly use
mysql_real_escape_string().