Gazan Posted January 31, 2009 Share Posted January 31, 2009 Hey, just got a simple question. Do you need to use mysql_real_escape_string everytime you exchange data within the database, or is it only when you put into the database? Thanks Quote Link to comment Share on other sites More sharing options...
.josh Posted January 31, 2009 Share Posted January 31, 2009 You use that to escape quotes to prevent (most) sql injection attacks. You are supposed to validate data going into the database, so there shouldn't be a reason to validate it going out. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 31, 2009 Share Posted January 31, 2009 Slightly different slant on it - any string data that could contain special characters that would break a query (or allow sql injection) that is placed into a query statement should use mysql_real_escape_string(). This includes all string data from an external source and any internal string data that could contain special character (assuming that magic_quotes_runtime is OFF) or internal string data that you don't explicitly know does not contain any characters that could break a query. Safe usage would be to use it on any string data placed in a query. Quote Link to comment Share on other sites More sharing options...
Mark Andrew Cunningham Posted January 31, 2009 Share Posted January 31, 2009 You can enter data straight into your database but you should only do it for testing purposes without mysql_real_escape_string() your leaving a door wide open to hackers and the like. Also have you heard of htmlentities() function It helps with user input aswell!! Quote Link to comment Share on other sites More sharing options...
.josh Posted January 31, 2009 Share Posted January 31, 2009 I personally validate with good old fashioned regex. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.