Page 1 of 1
Use mysql_real_escape_string just for INSERT or...?
Posted: Sun Sep 14, 2008 8:07 pm
by JAB Creations
Should we use mysql_real_escape_string for all MySQL queries or just for INSERT queries?
Re: Use mysql_real_escape_string just for INSERT or...?
Posted: Mon Sep 15, 2008 1:39 am
by Mordred
All queries. Escaping of data in SQL queries is done to handle cases where characters that have meaning in the SQL are used in the data. Failure to do so results in broken applications in general, and often inscure applications (SQL injection).
http://www.logris.org/security/escaping ... ty-measure
http://www.logris.org/security/the-unex ... -injection
Re: Use mysql_real_escape_string just for INSERT or...?
Posted: Mon Sep 15, 2008 1:52 am
by JAB Creations
Nice...I understand also what you mean about $_SERVER. In example I'm sure you could use a user agent to somehow pass an SQL injection attack or something along those lines. Thanks for the links.
