I actually tried that and also var_dump, the value I added in my first post is the value being processed, the exact same code works in my local machine it just does not work in the server and also only happens to the values passed to the mysql_real_escape_string all other post values like int which I cast or I do a regular expression search work just fine, this is what I’m doing
If you are using mysqli then why don’t you use prepare/bind for your database calls and do away with the need to escape anything.
Also you should never run the escape directly on the raw inpit field - you should always validate post fields first before using them in any code at all.
Unless you don’t care what the value is you’re going to save in the database, you should validate user input because you never know what values your script will receive.
If you need a date, you’ll have to make sure the received value is a valid date.
If you need one of a given set of values, for example ‘red’ ‘yellow’ or ‘blue’, you should make sure the received value is one of those before saving it in the database.
Even if you create a form with select boxes with the allowed values, that doesn’t mean someone can’t “hack” it and send your script other values.
Yeah I get that, but he said never to escape unvalidated data, which I thought was a bit too strict. As you say, there are times you don’t care what goes in, or if the data even exists.
As I was reading I was wondering if there was some overhead related with mysql(i)_real_escape_string() that I hadn’t read about which would call validation to try to limit its use, but it seems not Thanks for clarifying.