mysql_real_escape_string Question

phprocker · November 8, 2010

Is it necessary to use

mysql_real_escape_string()

when I'm retrieving fields from a table that the user had no input on the result?

Such as if there was a template color that the admin set in the siteconfig table that the script selects automatically with no user input.

Cheers!

revraz · November 8, 2010

It is designed to sanitize data going into the database.

phprocker · November 8, 2010

It is designed to sanitize data going into the database.

Couldn't there be an SQL injectionwhen there is any call to the database such as a SELECT from the table?

trq · November 8, 2010

It is designed to sanitize data going into the database.

Not exactly.

Couldn't there be an SQL injectionwhen there is any call to the database such as a SELECT from the table?

Yes. mysql_real_escape_string should be used on ANY and ALL user inputted data that is to be used within a query (of ANY and ALL types).

phprocker · November 8, 2010

Thorpe thank you for the answer. Now what about my first question though. Is it necessary to use it for non-user-input database queries such as a config selection from a config table.

trq · November 8, 2010

I believe that is covered in my last post.

The answer is no. hard coded queries are not effected.

phprocker · November 8, 2010

Thank you again. Marked Solved.

Sign In

mysql_real_escape_string Question

Recommended Posts

phprocker

Link to comment

Share on other sites

revraz

Link to comment

Share on other sites

phprocker

Link to comment

Share on other sites

trq

Link to comment

Share on other sites

phprocker

Link to comment

Share on other sites

trq

Link to comment

Share on other sites

phprocker

Link to comment

Share on other sites

Archived

Browse

Activity

Important Information