Escaping string when moving between mysql tables

If I pull a string out of a MySQL result- then use that string in a mysql_query()...I still have to escape it right? Something I've开发者_如何转开发 never considered, but just came across.

---

Yes, because when you retrieve the string it will no longer be escaped. When you use:

$sql = "INSERT yourtable(foo) VALUES ('" . mysql_real_escape_string($foo) . "')";

the string is not stored in the database in escaped form. The escaping is removed when MySQL parses the query, and the original value of $foo is the value that is stored and is the value you receive when you read the data again later.

---

Yes, you have to. What if for the first time when that string was inserted and never escaped?

---

Yes. I'm assuming you mean mysql_real_escape_string here, mysql will return the unescaped version, so if you are going to reisnert, you will have to re-escape the values.

---

Yes, you need to - the reason being that you'll have stored it escaped, etc. so when you retrieve it you'll presumably have un-escaped it to its original form (the ultimate idea being to store the input data "as-is" to preserve it and then escape on output).

As such, you'd need to escape it during subsequent query uses, and indeed for output on the front end. (Although for front end purposes you'd use htmlentities, etc. as appropriate for the type of data.)