[SOLVED] mysql_real_escape_string

[jaymc]

As a general rule of thumb, is it correct to say that when ever running a query that uses $_GET or $_POST paramteres within the query, should all these values be passed through mysql_real_escape string

 

If so, is there further more protection you should apply to make it as safe as possible, or should that do the trick

 

How intensive is this and does it actually touch the database as I noticed the function wont run unless a mysql connection has been opened which I find strange? especially when just trying to test it

 

Feasble to run it on all keys of a $_POST which has 10 entries?

[GingerRobot]

It really depends on the data you're expecting. If you wish to allow any characters through, then yes, mysql_real_escape_string() will do.

 

If you with to allow any characters through, but want to block html tags, then you'll need to either use strip_tags() or htmlentities() (depending on wether you wish to delete them, or change all special characters to their relevant character code) first, then use mysql_real_escape_string.

 

If you only wish to allow alphanumeric characters, check it with a regular expression/ctype_alnum() - if you do this, you woudn't need to use mysql_real_escape_string.

 

If you're only allowing a number or integer, again check the contents - either ctype_digit(),is_numeric() etc.

 

For the checking of integers you can also use type casting.

 

So it really depends on what you're trying to do.

 

In answer to your final question, there would be no problem using the function on 10 pieces of data. It's not resource intensive.

[jaymc]

Great stuff!

 

Thanks for info that has give me a better idea