mysql_real_escape_string again if copying data?_问答_开发者

mysql_real_escape_string again if copying data?

开发者 https://www.devze.com 2023-02-20 07:35 出处：网络

Before I put data into my database I pass it through mysql_real_escape_string. If I want to copy that same data into another table, do I need to pass it through mysql_real_esca开发者_如何转开发pe_str

Before I put data into my database I pass it through mysql_real_escape_string.

If I want to copy that same data into another table, do I need to pass it through mysql_real_esca开发者_如何转开发pe_string again before I copy it?

I wrote a small script to test the issue and it looks like the answer is yes:

$db = new AQLDatabase();
$db->connect();

$title = "imran's color";
$title = mysql_real_escape_string($title);
$sql = "insert into tags (title, color) values  ('".$title."','@32324')";
$db->executeSQL($sql);

$sql = "select * from tags where color = '@32324' ";
$result = $db->executeSQL($sql);
while($row= mysql_fetch_array($result))
{
    $new_title =  $row['title'];
}

$new_title = mysql_real_escape_string($new_title);
$sql = "insert into tags (title, color) values  ('".$new_title."','DDDDD')";
$db->executeSQL($sql);

NOTE: If I remove the second mysql_real_escape_string call, then the second insert won't take place

Are doing something like this?

save mysql_real_escape_string($bla) to database
fetch $bla from database
save $bla again (in another table..)

Fetching $bla from the database will "unescape" it so it could be a harmful string again. Always escape it again when saving it.

Before I put data into my database I always make it go the Mysql_real_Escape_String thing.

You are doing right. Just keep it as is. Not database though but query it is.

The only note: only strings should be escaped using this function. It shouldn't be used with any other query parts.

do I need to make it go through the Mysql_real_Escape_String again before I copy it?

Didn't you answer your question already? Before I put [string-type] data into my [query] I always make it go the Mysql_real_Escape_String thing. Is your data going to SQL query? So, here is an answer you have already.

Well, if you are sure this data is already properly escaped, there is no need to.

mysql_real_escape_string is for 1) escaping 2) security purposes. Since it's your own data base and as long as you pass data to another database outside a potential hacker reach - you are already safe

Its already scaped, just copy it as is, if you want to undo the mysql_real_escape_string you can use stripslashes($sting) to remove it

PD: This is false and now i understand why.