Reputation: 188
mysql escape getsqlvaluestring AccID
In various mysql queries, the end part of the query string is:
" WHERE UserID = " . $AccID
where
$AccID = $_SESSION['UID'];
and UserID is the respecting bigint column in the specific table of the db.
So my question is : do I need to escape the $AccID like this GetSQLValueString($AccID, "text") just to be on the safe side, or there is no need to, since it's not taken from a user input ?
p.s. $_SESSION['UID'] is set during the login procedure, after a successful authentication
Upvotes: 1
Views: 351
Answers (1)
Reputation: 78731
Yes, you should escape it. You should not database-escape it when you put it into $_SESSION (you might want to use it for other purposes), but before inserting into the query.
Your best bet would be though to use parameterized SQL instead of always escaping and building your queries through string concatenation. Get familiar with PDO. For a better world.
Upvotes: 3
Related Questions
- PHP Cannot escape my string properly
- mysql_escape_string in php
- What is the proper way to escape a $_SESSION username for use in a mysql query?
- Is mysql_escape_string not supposed to be used at all? If not, what is the alternative?
- Do we have to use mysql_real_escape_string() while working with sessions?
- Escape MySQL PHP
- Escaping a string being inserted into Mysql
- MySQL escaped strings problem
- error using mysql escape string
- mysql_real_escape_string() for $_SESSION variables necessary?