Page 1 of 1

In what order

Posted: Wed Jun 27, 2007 8:58 am
by jack23
I have a form that runs a file called check.processor.php when the submit button is clicked.

The check.processor.php performs :
1st. the forms validation
2nd. inserts the data into the database

My Question is, when do i start using mysql_real_escape_string. Do i need to use it:
1. as soon as i start the forms validation
2. or can i just use it before i insert the data into the database after the validation has been done

thanks

Posted: Wed Jun 27, 2007 9:04 am
by volka
You only need the strings returned by mysql_real_escape_string() for the sql statement.
Therefore
jack23 wrote:2. or can i just use it before i insert the data into the database after the validation has been done
yes.

Posted: Wed Jun 27, 2007 9:06 am
by Gente
Before DB insert.
A little example. You have 'user_name' which contains the first and the last name of some user.
For example the name of user is John O'Henry.
Valid DB value would be John O\'Henry but if some user input John O\'Henry in our form error should appears.

Posted: Wed Jun 27, 2007 9:55 am
by arturm
There is one exception to that rule: if your validation contains some sql query (for example you check if some value already exists in the database) you have to escape it before that