mysql_real_escape_string()

[brendan6]

Does:

 

$id = mysql_real_escape_string($_GET["id"]);

$result = mysql_query("SELECT * FROM table WHERE id = '$id'");

 

Have the same affect as:

 

$id = $_GET["id"];

$query = sprintf("SELECT * FROM table WHERE id = '%s'",mysql_real_escape_string($id));

$result = mysql_query($query);

 

?

[effigy]

Yes.

[Dragen]

yeah pretty much.

the sprintf simply replaces the %s with the $id.

the mysql_real_escape_string on the first one is a must in pretty much every case for mysql insertion. It makes the string safe.

[brendan6]

Perfect..tahnk you

[cooldude832]

that isn't very safe, you should always test if the data type off a users input is valid, like run a is_numeric on it for example, and mysql_real_escape_strign

[toplay]

that isn't very safe, you should always test if the data type off a users input is valid, like run a is_numeric on it for example, and mysql_real_escape_strign

 

It looks like the "id" column in this case is probably an auto increment numeric data type, and hence would need to be validated to see if it's a valid integer. This is best done with ctype_digit() and not is_numeric() since that function allows periods and negative signs (dash) like in -1.2.

 

<?php

$nbr = 12.34;

if (is_numeric($nbr))
    echo 'The value of $nbr is numeric';  // Displays this!
else 
    echo 'The value of $nbr is not numeric';

if (ctype_digit($nbr))
    echo 'The value of $nbr is an integer';
else 
    echo 'The value of $nbr is not an integer';  // Displays this!
   
?>

 

[cooldude832]

anything is better than nothing though