Mysql_real_escape_string () for $ _SESSION variables?

Question

Mysql_real_escape_string () for $ _SESSION variables?

Should I use a function mysql_real_escape_string()in my MySQL queries for variables $_SESSION? Theoretically, variables $_SESSIONcannot be changed by the end user, unlike variables $_GETor $_POST??

Thanks:)

+5

php mysql-real-escape-string session-variables

Lyon Jan 23 '10 at 7:46

source share

4 answers

// , . "".

+4

Ignacio Vazquez-Abrams 23 . '10 7:56

You can answer the question yourself by following this line of reasoning:

Does the value in $ _SESSION mean from user input?

If so, has he already passed the scan?

+3

Silvio donnini Jan 23 '10 at 7:58

source share

Theoretically, $ _SESSION variables cannot be changed by the end user

No, but the data should have come from somewhere.

You should avoid any exit from PHP by using the appopriate method for the recipient the moment he leaves PHP.

FROM.

+1

symcbean Jan 23 '10 at 10:26

source share

Andrew Medico · Accepted Answer · 2010-01-23T07:51:23+0000

Regardless of whether the user can modify the data, you probably want to avoid it if you ever need information to contain characters that could break SQL (quotation marks, etc.).

Better yet, use the related options and you won’t have to worry about it.

Mysql_real_escape_string () for $ _SESSION variables?

More articles: