jimfog Posted April 12, 2013 Share Posted April 12, 2013 When I put data into the db I always use the real_escape_string function for security purposes. Is there a need to do something similar when I SELECT data from the db? Are there any security issues to consider in the above scenario? Link to comment Share on other sites More sharing options...
justsomeguy Posted April 12, 2013 Share Posted April 12, 2013 mysql_real_escape_string for an insert query isn't really about security, it's about making sure the data gets inserted accurately. As far as security goes when you're dealing with displaying user-submitted data, that's part of what OWASP is about: https://www.owasp.org/index.php/Main_Pagehttps://www.owasp.org/index.php/Cheat_Sheets Link to comment Share on other sites More sharing options...
Stream Posted April 20, 2013 Share Posted April 20, 2013 Is it correct to pass mysql_real_escape_string to variable like$year =mysql_real_escape_string( trim($_POST['year'])); or correct to use it in query like bellow$year =( trim($_POST['year'])); $sql = "INSERT INTO table (year) values ( . mysql_real_escape_string($value) .) Link to comment Share on other sites More sharing options...
justsomeguy Posted April 22, 2013 Share Posted April 22, 2013 Neither is technically wrong, although the second example doesn't have correct syntax. Link to comment Share on other sites More sharing options...
Stream Posted April 22, 2013 Share Posted April 22, 2013 thank you yeh should be like $sql = "INSERT INTO table (year) values ('. mysql_real_escape_string($value) .') Link to comment Share on other sites More sharing options...
justsomeguy Posted April 22, 2013 Share Posted April 22, 2013 $sql = "INSERT INTO table (year) values ('" . mysql_real_escape_string($value) . "')"; Link to comment Share on other sites More sharing options...
Stream Posted May 5, 2013 Share Posted May 5, 2013 (edited) but should we use mysql_real_escape_string when we add image path to db or there is no matter for that? Thank you Edited May 6, 2013 by Stream Link to comment Share on other sites More sharing options...
justsomeguy Posted May 6, 2013 Share Posted May 6, 2013 It doesn't matter when you call the function as long as the value is escaped by the time it goes in the query. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now