Reputation: 7364
mysql_real_escape_string() for $_SESSION variables necessary?
Should I use the mysql_real_escape_string() function in my MySQL queries for $_SESSION variables? Theoretically, the $_SESSION variables can't be modified by the end-user unlike $_GET or $_POST variables right?
Thanks :)
Upvotes: 5
Views: 2986
Answers (4)
Reputation: 48387
Theoretically, the $_SESSION variables can't be modified by the end-user
No, but the data must have come from somewhere.
You should escape any output from PHP, using the appopriate method for the destination at the point at which it leaves PHP.
C.
Upvotes: 1
Reputation: 3303
You can answer the question yourself by following this line of reasoning:
Did the value in $_SESSION originate from user input?
If so, has it been sanitized already?
Upvotes: 3
Reputation: 799240
Do not escape/quote/encode text until you're at the point where you need it. Internal representations should be as "raw" as possible.
Upvotes: 4
Reputation: 20174
Regardless of whether the user can modify the data, you probably want to escape it anyway in case you ever need the data to contain characters that would break the SQL (quotes, etc).
Better yet, use bound parameters and you won't have to worry about it.
Upvotes: 4
Related Questions
- mysql_real_escape_string and ’
- mysql_escape_string in php
- Issue with mysql_real_escape_string
- Do we have to use mysql_real_escape_string() while working with sessions?
- Can't use mysql_real_escape_string
- php's mysql_real_escape_string doesn't work?
- Problems with mysql_real_escape_string
- mysql_real_escape_string() not sanitizing variable
- mysql_real_escape_string not good enough?
- whats wrong with this php mysql_real_escape_string