Do we have to use mysql_real_escape_string() while working with sessions?

Question

Please look at the codes below:

$username = $_POST['username'];
$_SESSION['user_name'] = $username;

Do I have to use mysql_real_escape_string() function while I'm setting $username value too? Is there any threat here if I don't?

Attention: I used PDO while I want to work with MySQL.

Answer 1

You shouldn't have to as session data can only be manipulated on the server.

If you KNOW you have data in there that is to be used in a query and has characters that need escaping then obviously you should ensure that takes place.

Any values you store in sessions that contain any qry language like 'OR 1 = 1' is bascially down to poor application design IMO - any values in session that could open you up to security lapses are your own fault - just make sure it can't be done.

Answer 2

No, you do not need to escape it in any way there. You only need to escape text if you are concatenating it with other text where certain characters may have a special meaning. See The Great Escapism (Or: What You Need To Know To Work With Text Within Text).

Answer 3

Mysql_real_escape_string() is used for security purposes, so users couldn't do SQL Injection. If you aren't using $_SESSION['user_name'] or $username for database, then you won't need to use it. You can read more here - http://php.net/manual/en/function.mysql-real-escape-string.php

mysql_real_escpae_string() adds backslash to each special character.

Also, you should check some of SQL injection examples, so you get a idea how it's done, and what exactly mysql_real_escape_string() is preventing - http://www.unixwiz.net/techtips/sql-injection.html .

Answer 4

You don't have to, use it only when you want to escape the characters for entering it to the database.