rubing Posted August 3, 2008 Share Posted August 3, 2008 I use the improved mysql functions to escape my data prior to insertion (e.g. mysqli_real_escape_string), so a subtle question arises. Do I query as follows: $query="SELECT cola FROM table.a WHERE colb='$var'"; $conn->query($query); Or like this: $var = $mysqli->real_escape_string($var); $query="SELECT cola FROM table.a WHERE colb='$var'"; $conn->query($query); Quote Link to comment Share on other sites More sharing options...
zq29 Posted August 3, 2008 Share Posted August 3, 2008 You should escape $var before running it as part of a query, assuming it is user input. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.