In what order

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
jack23
Forum Newbie
Posts: 1
Joined: Wed Jun 27, 2007 8:49 am

In what order

Post by jack23 »

I have a form that runs a file called check.processor.php when the submit button is clicked.

The check.processor.php performs :
1st. the forms validation
2nd. inserts the data into the database

My Question is, when do i start using mysql_real_escape_string. Do i need to use it:
1. as soon as i start the forms validation
2. or can i just use it before i insert the data into the database after the validation has been done

thanks
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

You only need the strings returned by mysql_real_escape_string() for the sql statement.
Therefore
jack23 wrote:2. or can i just use it before i insert the data into the database after the validation has been done
yes.
User avatar
Gente
Forum Contributor
Posts: 252
Joined: Wed Jun 13, 2007 9:43 am
Location: Ukraine, Kharkov
Contact:

Post by Gente »

Before DB insert.
A little example. You have 'user_name' which contains the first and the last name of some user.
For example the name of user is John O'Henry.
Valid DB value would be John O\'Henry but if some user input John O\'Henry in our form error should appears.
User avatar
arturm
Forum Commoner
Posts: 86
Joined: Fri Apr 13, 2007 8:29 am
Location: NY
Contact:

Post by arturm »

There is one exception to that rule: if your validation contains some sql query (for example you check if some value already exists in the database) you have to escape it before that
Post Reply