Xyphon Posted August 25, 2008 Share Posted August 25, 2008 I have a very important question revolving around this function.. When do you need to use mysql_real_escape_string. Do you only need to use it in text, or all $_POST or $_GET. Because you can only hack with text, so is there any need to use it anywhere else? Thank you, Xyphon. Quote Link to comment Share on other sites More sharing options...
trq Posted August 25, 2008 Share Posted August 25, 2008 It needs to be used on any (and all) user inputted (or user has influence over) data you intend to use within an sql query. Quote Link to comment Share on other sites More sharing options...
Xyphon Posted August 25, 2008 Author Share Posted August 25, 2008 So lets say there was a button that let them use an attack in battle, I'd have to real_escape_string it? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted August 26, 2008 Share Posted August 26, 2008 Any $_POST, $_FILES, $_GET, or $_COOKIE data sent to your code can be manipulated and needs to be escaped if put into an sql query to prevent sql injection and to prevent broken queries should that data contain any special characters. Quote Link to comment Share on other sites More sharing options...
Xyphon Posted August 26, 2008 Author Share Posted August 26, 2008 Oh so as long as its no in a query, it's okay? Quote Link to comment Share on other sites More sharing options...
trq Posted August 26, 2008 Share Posted August 26, 2008 Oh so as long as its no in a query, it's okay? Yes, mysql_real_escape_string() is used to escape data intended for a query. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.