reality of mysql_real_escape_string

[phppup]

I'm starting of with a simple form to gather information and then store it in a database.

 

While researching methods and techniques I discovered this:

    $firstname = mysql_real_escape_string($_POST['firstname']);
    $lastname  = mysql_real_escape_string($_POST['lastname']);
    $email     = mysql_real_escape_string($_POST['email']);

 

Is it necessary to run mysql_real_escape_string for every item?

Is there a more effective/efficient manner to handle this?

Is there a better approach from a security standpoint?

 

Please educate me.

 

 

 

[Barand]

Yes - use prepared statements with parameters passed to the query.

[ginerjm]

Read up on the use of the MySQL* functions. They are no longer supported and you are using very outdated information to begin your project.

 

My suggestion - read up on the PDO extension (or the mysqlI one if you have to) and learn how prepared statements are the MUCH better way to structure your queries.

 

From the sound of your post you need to do a lot of reading to teach yourself how to program and how to write queries and how to handle user inputs. Good luck!