If you feel like you'll forget to escape a variable that will be a part of a query, don't escape variables before
you assemble the query. Escape them while
you assemble the query, i.e.
mysql_query('SELECT * FROM ' . mysql_real_escape_string($_POST['table'], $conn) . ' WHERE something= ' . mysql_real_escape_string($_POST['something'], $conn), $conn);
I always wonder why people have to write stuff like
$table = mysql_real_escape_string($_POST['table'], $conn);
$something = mysql_real_escape_string($_POST['something'], $conn);
mysql_query("SELECT * FROM $table WHERE something= $something" , $conn);
Readbility? When you have syntax highlighting available, I think the first is far easier to decipher, while at the same time showing that security precautions have been taken.
If you get into the habbit of escaping at the last possible moment, you'll be sure that you've done all escaping, since the moment of "there may be something wrong before
I did this" will be gone (and will instead be replaced with "I forgot to do this here
The greatest difficulty in programming is not in finding answers, but in asking yourself the right questions. -- If nobody has said it before, then I'd like to take credit of thinking this up (during summer of 2010).
"Complex problems often have the simplest solutions" -- Not sure who said that first.
=== My projects (all feedback welcomed) ===
(0.5.3) - perform XSLT 2.0 transformations in PHP.
(1.0.0a3) - reliable sockets.
(0.1.1) - persistent data storage wrapper.
=== Useful tools ===
- full featured PHP IDE, as well as a decent code editor for other things.
- The best free HTTP debugger. Performance tuning, security check, integrity check, custom requests and more, all made easy.
- That's NOT
my Nickname! Look at the topic.