Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Would it be wise to use mysql_real_escape_string() on all the $_FILES array variables I am using this query? I was worried that escaping it could cause problems. Any help would greatly be appreciated. Thanks!
I suppose you mean 'prepare for use in a mysql query' with 'escaping'. The whole point of 'preparing' is to make sure that the data is added to the database is the same data as you originally had. Thus no, preparing does not have a bad influence.
(Be aware of the fact that if you don't use move_upload_file the $_FILES[$file] are removed as soon as the script ends. So i don't really see why you would want to store that in the database. First move the file to $path_for_store and then save that path in the database)