[SOLVED] mysql_real_escape_string

[Xyphon]

I have a very important question revolving around this function..

 

When do you need to use mysql_real_escape_string.

 

Do you only need to use it in text, or all $_POST or $_GET. Because you can only hack with text, so is there any need to use it anywhere else?

 

Thank you,

Xyphon.

[trq]

It needs to be used on any (and all) user inputted (or user has influence over) data you intend to use within an sql query.

[Xyphon]

So lets say there was a button that let them use an attack in battle, I'd have to real_escape_string it?

[PFMaBiSmAd]

Any $_POST, $_FILES, $_GET, or $_COOKIE data sent to your code can be manipulated and needs to be escaped if put into an sql query to prevent sql injection and to prevent broken queries should that data contain any special characters.

[Xyphon]

Oh so as long as its no in a query, it's okay?

[trq]

Oh so as long as its no in a query, it's okay?

 

Yes, mysql_real_escape_string() is used to escape data intended for a query.