Page 1 of 1

$_FILES -> escaping?

Posted: Fri May 12, 2006 2:46 pm
by seodevhead
I have a script that handles some file uploads and the INSERT query looks like this:

Code: Select all

$upload_query = "INSERT INTO table (id, file_name, file_size, file_type, img_url, img_url2) VALUES ($insert_id, '{$_FILES[$filename]['name']}', {$_FILES[$filename]['size']}, '{$_FILES[$filename]['type']}', '$img_url', '$img_url2')";
Would it be wise to use mysql_real_escape_string() on all the $_FILES array variables I am using this query? I was worried that escaping it could cause problems. Any help would greatly be appreciated. Thanks!

Posted: Fri May 12, 2006 2:53 pm
by timvw
I suppose you mean 'prepare for use in a mysql query' with 'escaping'. The whole point of 'preparing' is to make sure that the data is added to the database is the same data as you originally had. Thus no, preparing does not have a bad influence.

(Be aware of the fact that if you don't use move_upload_file the $_FILES[$file] are removed as soon as the script ends. So i don't really see why you would want to store that in the database. First move the file to $path_for_store and then save that path in the database)

Posted: Fri May 12, 2006 2:58 pm
by seodevhead
Thanks a lot tim. Sound advice I will put into action. Thanks again for your help... much oblige! :)