Trying to understand where to use mysql_real_escape_string
Posted: Sat Nov 20, 2010 6:37 am
Newbie, trying to get to grips with the use of mysql_real_escape_string which I believe I need to do to escape various characters as well as help protect against sql injection.
As a starting point, I'm looking at this section of my code which I use to update my database when a user changes a score, effort grade or note in a form - could anyone point me in the right direction of where exactly to insert the mysql_real_escape_string. I'm sure as I learn more the online examples I've seen will make sense, but at the moment I'm struggling with this one! Thanks in advance for any suggestions.
As a starting point, I'm looking at this section of my code which I use to update my database when a user changes a score, effort grade or note in a form - could anyone point me in the right direction of where exactly to insert the mysql_real_escape_string. I'm sure as I learn more the online examples I've seen will make sense, but at the moment I'm struggling with this one! Thanks in advance for any suggestions.
Code: Select all
$result = mysql_query("SELECT admin FROM students WHERE year='$_GET[year]'");
while($row = mysql_fetch_array($result))
{
$Aut7str = 'Aut7';
$Aut7_Effortstr = 'Aut7_Effort';
$Aut7_Notestr = 'Aut7_Note';
$Aut7admin = $row[admin];
$Aut7_Effortadmin = $row[admin];
$Aut7_Noteadmin = $row[admin];
$Aut7together = $Aut7str.$Aut7admin;
$Aut7_Efforttogether = $Aut7_Effortstr.$Aut7_Effortadmin;
$Aut7_Notetogether = $Aut7_Notestr.$Aut7_Noteadmin;
$sql="UPDATE assess
SET Aut7='$_GET[$Aut7together]', Aut7_Effort='$_GET[$Aut7_Efforttogether]', Aut7_Note='$_GET[$Aut7_Notetogether]'
WHERE admin='$row[admin]' AND subject_id='$_GET[subject]' ";