Kyle Terry wrote:
On Wed, Mar 4, 2009 at 6:55 PM, Chris <dmagick@xxxxxxxxx> wrote:
Eric Butera wrote:
On Wed, Mar 4, 2009 at 8:18 PM, Chris <dmagick@xxxxxxxxx> wrote:
You only need to escape data coming from a user going in to your
database.
If you put user input into your database and pull it back out, it's
still raw user input. Never trust any piece of data ever, whether it
comes from a superglobal OR within your app itself.
Isn't that what I said?
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Actually no; you said "You only need to escape data coming from a user going
in to your database."
mysql_real_escape_string is only needed to prevent sql issues going in.
Of course your filter needs to check for other things before you put it
in, but not because of the integrity of the sql statement.
Once it is in the database, the mysql_real_escape_string has served it's
purpose - it's in the database.
mysql> select name from foo;
+---------------+
| name |
+---------------+
| Bill O'Really |
+---------------+
The \ is no longer there.
You don't need stripslashes or anything else to use it in output.
If you are going to use it for additional queries then you need to
escape it again for the integrity of the query, but in most cases it is
better to query based upon a unique ID integer associated with the name
(primary key) - unless you are looking for multiple records with same
name field, in which case you probably are dealing with a user input
request that you have escaped when you ate the _POST variable.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php