Reputation: 654
Escaping string when moving between mysql tables
If I pull a string out of a MySQL result- then use that string in a mysql_query()...I still have to escape it right? Something I've never considered, but just came across.
Upvotes: 0
Views: 62
Answers (4)
Reputation: 838256
Yes, because when you retrieve the string it will no longer be escaped. When you use:
$sql = "INSERT yourtable(foo) VALUES ('" . mysql_real_escape_string($foo) . "')";
the string is not stored in the database in escaped form. The escaping is removed when MySQL parses the query, and the original value of $foo is the value that is stored and is the value you receive when you read the data again later.
Upvotes: 2
Reputation: 54445
Yes, you need to - the reason being that you'll have stored it escaped, etc. so when you retrieve it you'll presumably have un-escaped it to its original form (the ultimate idea being to store the input data "as-is" to preserve it and then escape on output).
As such, you'd need to escape it during subsequent query uses, and indeed for output on the front end. (Although for front end purposes you'd use htmlentities, etc. as appropriate for the type of data.)
Upvotes: 0
Reputation: 4329
Yes. I'm assuming you mean mysql_real_escape_string here, mysql will return the unescaped version, so if you are going to reisnert, you will have to re-escape the values.
Upvotes: 0
Reputation: 10584
Yes, you have to. What if for the first time when that string was inserted and never escaped?
Upvotes: 0
Related Questions
- Escape strings/ inserting in php script
- MYSQL variable and escape string issue
- mysql_escape_string in php
- Need to escape datas when moving them around using mysql itself
- How to escape string in mySQL
- Escaping string for MySQL statement
- Escape table name MySQL
- Escaping a string being inserted into Mysql
- MySQL escaped strings problem
- error using mysql escape string