When should i use mysql_real_escape_string?
Is it only when i'm inserting rows into a database? Or only when i have user input?
Thanks
When should i use mysql_real_escape_string?
Is it only when i'm inserting rows into a database? Or only when i have user input?
Thanks
You should use mysql_real_escape_string() whenever you're building a query that will be run against the database. Any user input that is being used to build a database query should be run through this function. This will prevent sql injection attacks.
User inputs are your big area of concern when it comes to this.
You should use mysql_real_escape_string when you are inserting the value of a string into an SQL statement, and you are using the MySQL API.
$sql = "SELECT * FROM student WHERE foo = '" . $foo . "'";
Should be:
$sql = "SELECT * FROM student WHERE foo = '" .
mysql_real_escape_string($foo) . "'";
However you should also consider using PDO with prepared statements and bind parameters instead of mysql_real_escape_string
. This reduces the risk of errors.
It will simply filter all special character which included in form data to prevent from SQL injection(SQL injection is a hacker tool for hacking website through some queries with form data}