Northern Flame Posted May 20, 2008 Share Posted May 20, 2008 I am using the function htmlentities() to protect my website from people trying to post html on my website, and also I added the ENT_QUOTES option to the function so that it converts double quotes to " and converts single quotes ' so is there a need for my to also use mysql_real_escape_string? I guess what Im asking is if mysql_real_escape_string() protects against more than single and double quotes. Link to comment https://forums.phpfreaks.com/topic/106546-solved-is-there-a-need-for-mysql_real_escape_string-in-this-case/ Share on other sites More sharing options...
DarkWater Posted May 21, 2008 Share Posted May 21, 2008 Yes, you should always use it. Link to comment https://forums.phpfreaks.com/topic/106546-solved-is-there-a-need-for-mysql_real_escape_string-in-this-case/#findComment-546171 Share on other sites More sharing options...
AndyB Posted May 21, 2008 Share Posted May 21, 2008 Whether it should always be used or not, understanding what it does is helpful -> http://ca3.php.net/mysql_real_escape_string Link to comment https://forums.phpfreaks.com/topic/106546-solved-is-there-a-need-for-mysql_real_escape_string-in-this-case/#findComment-546191 Share on other sites More sharing options...
DarkWater Posted May 21, 2008 Share Posted May 21, 2008 Okay, sorry, you don't need to use it if you're hashing something (like MD5ing a password) and inserting it or if you're inserting values that you know are clean. Any input that involves ANY user interaction must be escaped. Link to comment https://forums.phpfreaks.com/topic/106546-solved-is-there-a-need-for-mysql_real_escape_string-in-this-case/#findComment-546193 Share on other sites More sharing options...
redarrow Posted May 21, 2008 Share Posted May 21, 2008 Sorry but that dont sound correct md5 no escapeing,what about if the user is posting a password and it converted to md5 before getting to the database............... example <?php //if a password comming from the form then i think your need to esape the md5... $password=mysql_real_escape_string(MD5($_POST['password'])); ?> Link to comment https://forums.phpfreaks.com/topic/106546-solved-is-there-a-need-for-mysql_real_escape_string-in-this-case/#findComment-546212 Share on other sites More sharing options...
DyslexicDog Posted May 21, 2008 Share Posted May 21, 2008 Sorry but that dont sound correct md5 no escapeing,what about if the user is posting a password and it converted to md5 before getting to the database............... example <?php //if a password comming from the form then i think your need to esape the md5... $password=mysql_real_escape_string(MD5($_POST['password'])); ?> Why? MD5 only returns alphanumeric in my testing. If you MD5 a sql injection attempt, you're only going to get hashed alphanumeric string back. Link to comment https://forums.phpfreaks.com/topic/106546-solved-is-there-a-need-for-mysql_real_escape_string-in-this-case/#findComment-546214 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.