Shadowing Posted January 6, 2012 Share Posted January 6, 2012 been wondering about this for a while do I need to put the escape on each WHERE? or do i really only need to put it on the $_POST i can probably understand why i need it on $_GET also after WHERE. So wondering about the session id. <?php mysql_query("UPDATE systems SET homes= $homes + '".mysql_real_escape_string($_POST['homes'])."' WHERE address = '".mysql_real_escape_string($_GET['planet'])."' AND id = '".($_SESSION['user_id'])."'"); ?> Quote Link to comment Share on other sites More sharing options...
Shadowing Posted January 6, 2012 Author Share Posted January 6, 2012 been wondering about this for a while do I need to put the escape on each WHERE? or do i really only need to put it on the $_POST i can probably understand why i need it on $_GET also after WHERE. So wondering about the session id. <?php mysql_query("UPDATE systems SET homes= $homes + '".mysql_real_escape_string($_POST['homes'])."' WHERE address = '".mysql_real_escape_string($_GET['planet'])."' AND id = '".($_SESSION['user_id'])."'"); ?> Quote Link to comment Share on other sites More sharing options...
trq Posted January 6, 2012 Share Posted January 6, 2012 All user provided data needs to be validated and escaped before using it in any query. Quote Link to comment Share on other sites More sharing options...
Shadowing Posted January 6, 2012 Author Share Posted January 6, 2012 thats why i was thinking i wouldnt need it on the 2nd WHERE matching session id since its not matching something a user could insert is my way of thinking about that correct? Quote Link to comment Share on other sites More sharing options...
PaulRyan Posted January 6, 2012 Share Posted January 6, 2012 Yes that is correct. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.