Question on mySQL injection

[Shadowing]

been wondering about this for a while

do I need to put the escape on each WHERE? or do i really only need to put it on the $_POST

i can probably understand why i need it on $_GET also after WHERE. So wondering about the session id.

 

 <?php mysql_query("UPDATE systems SET homes=  $homes + '".mysql_real_escape_string($_POST['homes'])."' 

WHERE address = '".mysql_real_escape_string($_GET['planet'])."' AND id = '".($_SESSION['user_id'])."'"); ?> 

[Shadowing]

  Quote

been wondering about this for a while

do I need to put the escape on each WHERE? or do i really only need to put it on the $_POST

i can probably understand why i need it on $_GET also after WHERE. So wondering about the session id.

 

 <?php mysql_query("UPDATE systems SET homes=  $homes + '".mysql_real_escape_string($_POST['homes'])."' 

WHERE address = '".mysql_real_escape_string($_GET['planet'])."' AND id = '".($_SESSION['user_id'])."'"); ?> 

[trq]

All user provided data needs to be validated and escaped before using it in any query.

[Shadowing]

thats why i was thinking i wouldnt need it on the 2nd WHERE matching session id since its not matching something a user could insert

 

is my way of thinking about that correct?

[PaulRyan]

Yes that is correct.