entering data in the db

[jimfog]

When I put data into the db I always use the real_escape_string function for security purposes. Is there a need to do something similar when I SELECT data from the db? Are there any security issues to consider in the above scenario?

[justsomeguy]

mysql_real_escape_string for an insert query isn't really about security, it's about making sure the data gets inserted accurately. As far as security goes when you're dealing with displaying user-submitted data, that's part of what OWASP is about: https://www.owasp.org/index.php/Main_Pagehttps://www.owasp.org/index.php/Cheat_Sheets

[Stream]

Is it correct to pass mysql_real_escape_string to variable like$year =mysql_real_escape_string( trim($_POST['year'])); or correct to use it in query like bellow$year =( trim($_POST['year'])); $sql = "INSERT INTO table (year) values ( . mysql_real_escape_string($value) .)

[justsomeguy]

Neither is technically wrong, although the second example doesn't have correct syntax.

[Stream]

thank you yeh should be like

$sql = "INSERT INTO table (year) values ('. mysql_real_escape_string($value) .')

[justsomeguy]

$sql = "INSERT INTO table (year) values ('" . mysql_real_escape_string($value) . "')";

[Stream]

but should we use mysql_real_escape_string when we add image path to db or there is no matter for that? Thank you

Edited May 6, 2013 by Stream

[justsomeguy]

It doesn't matter when you call the function as long as the value is escaped by the time it goes in the query.