Tutorial :When mysql_real_escape_string() is needed?


Is mysql_real_escape_string() with sprintf needed only at login page or at every mysql_query after login, for preventing SQL injection?


You should use mysql_real_escape_string for any user supplied data that is going to be ran through an SQL query.


You should use mysql_real_escape_string() every time you insert user-posted data into a query, or use a database wrapper like PDO that can do prepared statements. That would be better, because they do the job of sanitizing for you.

If you are working on the overall security of your site, this is great and definitely necessary. If you are looking for reasons why your site was hacked, though, I doubt this was done through a SQL injection, as your actual HTML code was affected (or so I thought, I may be wrong). This would be only possible if you had your FTP password stored somewhere in the database.


Use it when you do not trust the input. And never trust a user input.


In any instance that you accept user input, you should use mysqli_real_escape_string on it before sending it to the database. It is a good idea to use trim() on the input as well.

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Next Post »