Posted by peter on 02/23/07 14:11

> Is there really any time when I don't want to run every _POST and _GET
> through mysql_real_escape_string() before I use that data in accessing the
> database?
>
> In other words, is there a good reason why I shouldn't have a function
> that walks through the POST[] and GET[] arrays and processes the
> mysql_real_escape_string() function against the data in order to ensure
> that there will be no attempts to do an SQL inject?

You should be validating user input before you put it into the database and
using that fucntion at the top of your script will hinder your validation
attempts (as you will end up with escape characters in the string). If for
example you ask someone their age in a form ensure it is an int. If it is an
int then there is no need to use that function on it.

[Back to original message]