Page 1 of 1

adding mysql_real_escape_string

Posted: Wed Jun 27, 2007 9:07 am
by oo7ml
When i am preparing my data for insertion into the database i am adding mysql_real_escape_string, but how do i add it to the about_me part.

Code: Select all

//retrieve form data in a variable
$firstname  = mysql_real_escape_string($_POST['firstname']);
[b]$about_me[/b]		= '?';
thanks

Posted: Wed Jun 27, 2007 9:12 am
by volka
might be

Code: Select all

$about_me = mysql_real_escape_string($_POST['about_me']);
might be something completely different.
The question is very vague.

Posted: Wed Jun 27, 2007 9:23 am
by oo7ml
No sorry, there is no text field called, about_me. I am just giving about_me a value of "?" so that it will be inserted into the database (it will be used later on) But just incase someone tries to mess around with my code i want to add mysql_real_escape_string infront of it

Posted: Wed Jun 27, 2007 10:17 am
by volka

Code: Select all

$about_me = mysql_real_escape_string('?');
But it has no effect.

Messing around with the code in what way?

Posted: Wed Jun 27, 2007 10:58 am
by superdezign
oo7ml wrote:No sorry, there is no text field called, about_me. I am just giving about_me a value of "?" so that it will be inserted into the database (it will be used later on) But just incase someone tries to mess around with my code i want to add mysql_real_escape_string infront of it
You are aware that you only have to escape data that you don't have absolute control over, right? And you should only escape it right before putting it into the database. Relying on it being previously escaped is not good practice.