$_FILES -> escaping?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
seodevhead
Forum Regular
Posts: 705
Joined: Sat Oct 08, 2005 8:18 pm
Location: Windermere, FL

$_FILES -> escaping?

Post by seodevhead »

I have a script that handles some file uploads and the INSERT query looks like this:

Code: Select all

$upload_query = "INSERT INTO table (id, file_name, file_size, file_type, img_url, img_url2) VALUES ($insert_id, '{$_FILES[$filename]['name']}', {$_FILES[$filename]['size']}, '{$_FILES[$filename]['type']}', '$img_url', '$img_url2')";
Would it be wise to use mysql_real_escape_string() on all the $_FILES array variables I am using this query? I was worried that escaping it could cause problems. Any help would greatly be appreciated. Thanks!
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

I suppose you mean 'prepare for use in a mysql query' with 'escaping'. The whole point of 'preparing' is to make sure that the data is added to the database is the same data as you originally had. Thus no, preparing does not have a bad influence.

(Be aware of the fact that if you don't use move_upload_file the $_FILES[$file] are removed as soon as the script ends. So i don't really see why you would want to store that in the database. First move the file to $path_for_store and then save that path in the database)
User avatar
seodevhead
Forum Regular
Posts: 705
Joined: Sat Oct 08, 2005 8:18 pm
Location: Windermere, FL

Post by seodevhead »

Thanks a lot tim. Sound advice I will put into action. Thanks again for your help... much oblige! :)
Post Reply