orange08 Posted August 27, 2009 Share Posted August 27, 2009 before a variable used with sql command, i'll apply it with mysql_real_escape_string() to prevent sql injection... so, when i insert a new record into my database, i'm doing the same... as i know, when data is saved into database, MySQL will automatically remove the backslashes used as an escape character, so i would like to know when i retrieve the variable from database, is that mysql_real_escape_string() still applied on it? if i want to save this retrieved data into database again, need it apply mysql_real_escape_string() for second time? Link to comment https://forums.phpfreaks.com/topic/172074-apply-mysql_real_escape_string/ Share on other sites More sharing options...
McAwesome Posted August 27, 2009 Share Posted August 27, 2009 before a variable used with sql command, i'll apply it with mysql_real_escape_string() to prevent sql injection... so, when i insert a new record into my database, i'm doing the same... as i know, when data is saved into database, MySQL will automatically remove the backslashes used as an escape character, so i would like to know when i retrieve the variable from database, is that mysql_real_escape_string() still applied on it? if i want to save this retrieved data into database again, need it apply mysql_real_escape_string() for second time? So, as I understand it, mysql_real_escape_string "cleans" all strings sent to the database, so if it's already "cleaned" why would you do it a second time? ...I may be wrong though Link to comment https://forums.phpfreaks.com/topic/172074-apply-mysql_real_escape_string/#findComment-907280 Share on other sites More sharing options...
orange08 Posted August 27, 2009 Author Share Posted August 27, 2009 before a variable used with sql command, i'll apply it with mysql_real_escape_string() to prevent sql injection... so, when i insert a new record into my database, i'm doing the same... as i know, when data is saved into database, MySQL will automatically remove the backslashes used as an escape character, so i would like to know when i retrieve the variable from database, is that mysql_real_escape_string() still applied on it? if i want to save this retrieved data into database again, need it apply mysql_real_escape_string() for second time? So, as I understand it, mysql_real_escape_string "cleans" all strings sent to the database, so if it's already "cleaned" why would you do it a second time? ...I may be wrong though i'm not purposely do it twice... i know when i apply mysql_real_escape_string() on my data and save into database, it's clean...but as i know the \ used by this function to clean the data won't be saved into database together with the data... in some case, i need to retrieve the same data from the database again, then i might use it in another sql command... as this data has been applied with mysql_real_escape_string() before and saved and retrieved from the database...so, i just wonder need i apply mysql_real_escape_string() on it again as this time this data not considered as direct input from user... Link to comment https://forums.phpfreaks.com/topic/172074-apply-mysql_real_escape_string/#findComment-907284 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.