You are here: Re: mysql_real_escape_string(); « PHP SQL « IT news, forums, messages
Re: mysql_real_escape_string();

Posted by peter on 02/23/07 14:11

> Is there really any time when I don't want to run every _POST and _GET
> through mysql_real_escape_string() before I use that data in accessing the
> database?
>
> In other words, is there a good reason why I shouldn't have a function
> that walks through the POST[] and GET[] arrays and processes the
> mysql_real_escape_string() function against the data in order to ensure
> that there will be no attempts to do an SQL inject?

You should be validating user input before you put it into the database and
using that fucntion at the top of your script will hinder your validation
attempts (as you will end up with escape characters in the string). If for
example you ask someone their age in a form ensure it is an int. If it is an
int then there is no need to use that function on it.

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация