Jump to content

real_escape _string - question


ohdang888

Recommended Posts

Does it work to do a mysql_real _escape_string on a fetch array, and "protect" from everything in that array?

<?php
$result = mysql_query("SELECT * FROM `table` WHERE `id`='5'") or die(mysql_error());
$row = mysql_real_escape_string(mysql_fetch_array($result));
?>

would that protect?

 

 

Thanks-

 

Link to comment
https://forums.phpfreaks.com/topic/97416-real_escape-_string-question/
Share on other sites

thanks.

 

but a few i have a few questions on that page..

 

Whats that %s, %s %d stuff?????

<?php
        $query = sprintf("INSERT INTO products (`name`, `description`, `user_id`) VALUES ('%s', '%s', %d)",
                    mysql_real_escape_string($product_name, $link),
                    mysql_real_escape_string($product_description, $link),
                    $_POST['user_id']);
?>

oh alright. thanks.

But can't i just do the mysql_real_escape_string on the variables right before they go into the query and achieve the same security level????

 

for example, it would be like this:

$a = mysql_real_escape_string($a)

SELECT * FROM table WHERE column=$a

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.