phprocker Posted November 8, 2010 Share Posted November 8, 2010 Is it necessary to use mysql_real_escape_string() when I'm retrieving fields from a table that the user had no input on the result? Such as if there was a template color that the admin set in the siteconfig table that the script selects automatically with no user input. Cheers! Quote Link to comment https://forums.phpfreaks.com/topic/218068-mysql_real_escape_string-question/ Share on other sites More sharing options...
revraz Posted November 8, 2010 Share Posted November 8, 2010 It is designed to sanitize data going into the database. Quote Link to comment https://forums.phpfreaks.com/topic/218068-mysql_real_escape_string-question/#findComment-1131617 Share on other sites More sharing options...
phprocker Posted November 8, 2010 Author Share Posted November 8, 2010 It is designed to sanitize data going into the database. Couldn't there be an SQL injectionwhen there is any call to the database such as a SELECT from the table? Quote Link to comment https://forums.phpfreaks.com/topic/218068-mysql_real_escape_string-question/#findComment-1131631 Share on other sites More sharing options...
trq Posted November 8, 2010 Share Posted November 8, 2010 It is designed to sanitize data going into the database. Not exactly. Couldn't there be an SQL injectionwhen there is any call to the database such as a SELECT from the table? Yes. mysql_real_escape_string should be used on ANY and ALL user inputted data that is to be used within a query (of ANY and ALL types). Quote Link to comment https://forums.phpfreaks.com/topic/218068-mysql_real_escape_string-question/#findComment-1131633 Share on other sites More sharing options...
phprocker Posted November 8, 2010 Author Share Posted November 8, 2010 Thorpe thank you for the answer. Now what about my first question though. Is it necessary to use it for non-user-input database queries such as a config selection from a config table. Quote Link to comment https://forums.phpfreaks.com/topic/218068-mysql_real_escape_string-question/#findComment-1131636 Share on other sites More sharing options...
trq Posted November 8, 2010 Share Posted November 8, 2010 I believe that is covered in my last post. The answer is no. hard coded queries are not effected. Quote Link to comment https://forums.phpfreaks.com/topic/218068-mysql_real_escape_string-question/#findComment-1131637 Share on other sites More sharing options...
phprocker Posted November 8, 2010 Author Share Posted November 8, 2010 Thank you again. Marked Solved. Quote Link to comment https://forums.phpfreaks.com/topic/218068-mysql_real_escape_string-question/#findComment-1131638 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.