real_escape _string - question

[ohdang888]

Does it work to do a mysql_real _escape_string on a fetch array, and "protect" from everything in that array?

<?php
$result = mysql_query("SELECT * FROM `table` WHERE `id`='5'") or die(mysql_error());
$row = mysql_real_escape_string(mysql_fetch_array($result));
?>

would that protect?

 

 

Thanks-

 

[AndyB]

Perhaps you'll find the manual explanation of the function useful - http://ca.php.net/mysql_real_escape_string

[ohdang888]

thanks.

 

but a few i have a few questions on that page..

 

Whats that %s, %s %d stuff?????

<?php
        $query = sprintf("INSERT INTO products (`name`, `description`, `user_id`) VALUES ('%s', '%s', %d)",
                    mysql_real_escape_string($product_name, $link),
                    mysql_real_escape_string($product_description, $link),
                    $_POST['user_id']);
?>

[Daniel0]

Following on Andy's post. Reading the manual entry for sprintf() will answer that question.

[ohdang888]

oh alright. thanks.

But can't i just do the mysql_real_escape_string on the variables right before they go into the query and achieve the same security level????

 

for example, it would be like this:

$a = mysql_real_escape_string($a)

SELECT * FROM table WHERE column=$a

[Daniel0]

Yeah. That'd be no problem. Although if it's a string value you'll have to enclose it in single quotes in the query.

[ohdang888]

oh ok. its all coming together now!! wooooo

 

ONE more question. lol. So i read through the link that Andy sent, and it doesn't address the question of can i put an excape string on an array?(my first post)

 

Thanks!!!

[Daniel0]

No. You're using that function on the user input to ensure that arbitrary SQL cannot be injected into your query. It only works on strings, integers, floats and booleans. There is no point in running it on the results which are returned anyways.