I have a question about escaping strings into queries. I didn't use any escaping and it works even when user inputs data with " or '. When echo the sql query, it looks like it's already escaped.
So I wonder if I should use any of those escaping commands such as
Seems like you have magic_quotes_gpc on. Use mysql_escape_string anyway, this function is specifically designed to escape the strings before embedding in sql query. Personally I use this snippet often:
So every data to store or compare from user input: first strip slashes (if mag. qout. on) and second mysql escape... This should be safe enough against hacking attacks like passing "admin OR username = 'admin" as username, right?
Yes, it should. Keep in mind that magic_quotes_gpc affects only GET, POST and COOKIES variables. It's important to know that some items in $_SERVER array are supplied by user's browser or intermediate proxy servers, so you can't trust them. X_FORWARDED_FOR is a good example of such item.