$_FILES -> escaping?
Posted: Fri May 12, 2006 2:46 pm
I have a script that handles some file uploads and the INSERT query looks like this:
Would it be wise to use mysql_real_escape_string() on all the $_FILES array variables I am using this query? I was worried that escaping it could cause problems. Any help would greatly be appreciated. Thanks!
Code: Select all
$upload_query = "INSERT INTO table (id, file_name, file_size, file_type, img_url, img_url2) VALUES ($insert_id, '{$_FILES[$filename]['name']}', {$_FILES[$filename]['size']}, '{$_FILES[$filename]['type']}', '$img_url', '$img_url2')";