Reputation: 691
When to use mysql_real_escape_string?
When should i use mysql_real_escape_string?
Is it only when i'm inserting rows into a database? Or only when i have user input?
Thanks
Upvotes: 4
Views: 4201
Answers (4)
Reputation: 1
It will simply filter all special character which included in form data to prevent from SQL injection(SQL injection is a hacker tool for hacking website through some queries with form data}
Upvotes: 0
Reputation: 838036
You should use mysql_real_escape_string when you are inserting the value of a string into an SQL statement, and you are using the MySQL API.
$sql = "SELECT * FROM student WHERE foo = '" . $foo . "'";
Should be:
$sql = "SELECT * FROM student WHERE foo = '" .
mysql_real_escape_string($foo) . "'";
However you should also consider using PDO with prepared statements and bind parameters instead of mysql_real_escape_string. This reduces the risk of errors.
Upvotes: 2
Reputation: 3764
You should use mysql_real_escape_string() whenever you're building a query that will be run against the database. Any user input that is being used to build a database query should be run through this function. This will prevent sql injection attacks.
User inputs are your big area of concern when it comes to this.
Upvotes: 2
Related Questions
- mysql_escape_string VS mysql_real_escape_string
- When should you escape strings used in MySQL
- what does mysql_real_escape_string() really do?
- What is the difference between mysql_real_escape_string and addslashes?
- When to use mysql real escape string
- Shortcomings of mysql_real_escape_string?
- When mysql_real_escape_string() is needed?
- Why mysql_escape_string is highly discouraged?
- When should I NOT use mysql_real_escape_string
- When are the most recommended times to use mysql_real_escape_string()