A question regarding mysql_real_escape_string

[Gazan]

Hey, just got a simple question. Do you need to use mysql_real_escape_string everytime you exchange data within the database, or is it only when you put into the database?

 

Thanks

[.josh]

You use that to escape quotes to prevent (most) sql injection attacks.  You are supposed to validate data going into the database, so there shouldn't be a reason to validate it going out.

[PFMaBiSmAd]

Slightly different slant on it - any string data that could contain special characters that would break a query (or allow sql injection) that is placed into a query statement should use mysql_real_escape_string(). This includes all string data from an external source and any internal string data that could contain special character (assuming that magic_quotes_runtime is OFF) or internal string data that you don't explicitly know does not contain any characters that could break a query.

 

Safe usage would be to use it on any string data placed in a query.

[Mark Andrew Cunningham]

You can enter data straight into your database but you should only do it for testing purposes without mysql_real_escape_string() your leaving a door wide open to hackers and the like.

 

Also have you heard of htmlentities() function It helps with user input aswell!!

[.josh]

I personally validate with good old fashioned regex.