rubing Posted August 3, 2008 Share Posted August 3, 2008 I use the improved mysql functions to escape my data prior to insertion (e.g. mysqli_real_escape_string), so a subtle question arises. Do I query as follows: $query="SELECT cola FROM table.a WHERE colb='$var'"; $conn->query($query); Or like this: $var = $mysqli->real_escape_string($var); $query="SELECT cola FROM table.a WHERE colb='$var'"; $conn->query($query); Link to comment https://forums.phpfreaks.com/topic/117952-escaping-needed-with-select/ Share on other sites More sharing options...
zq29 Posted August 3, 2008 Share Posted August 3, 2008 You should escape $var before running it as part of a query, assuming it is user input. Link to comment https://forums.phpfreaks.com/topic/117952-escaping-needed-with-select/#findComment-606746 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.