Use mysql_real_escape_string just for INSERT or...?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
JAB Creations
DevNet Resident
Posts: 2341
Joined: Thu Jan 13, 2005 6:44 pm
Location: Sarasota Florida
Contact:

Use mysql_real_escape_string just for INSERT or...?

Post by JAB Creations »

Should we use mysql_real_escape_string for all MySQL queries or just for INSERT queries?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Use mysql_real_escape_string just for INSERT or...?

Post by Mordred »

All queries. Escaping of data in SQL queries is done to handle cases where characters that have meaning in the SQL are used in the data. Failure to do so results in broken applications in general, and often inscure applications (SQL injection).

http://www.logris.org/security/escaping ... ty-measure
http://www.logris.org/security/the-unex ... -injection
User avatar
JAB Creations
DevNet Resident
Posts: 2341
Joined: Thu Jan 13, 2005 6:44 pm
Location: Sarasota Florida
Contact:

Re: Use mysql_real_escape_string just for INSERT or...?

Post by JAB Creations »

Nice...I understand also what you mean about $_SERVER. In example I'm sure you could use a user agent to somehow pass an SQL injection attack or something along those lines. Thanks for the links. :)
Post Reply