what method are you normally calling before inserting the user data to the database (MySQL) and then after retrieving the data.
Is mysql_real_escape_string() enough now or do you have better approach?
This is a tough to answer as this depends on your needs. For example does this query contain user input?. Is this wrapped in a method or function?. As well other things apply such as control characters, html.
You may want to read the following thread, it has a good conversation on when to use mysql_real_escape_string versus htmlentities or htmlspecialcharshttp://www.sitepoint.com/forums/showthread.php?895790-mysql_real_escape_string-and-htmlspecialchars-while-matching
Provided you use separate prepare and bind statements for your database calls tyou don't need anything special to be able to save your validated user input to the database mysql_real_escape_string() used to be necessary when the SQL and data had to be all jumbled together in the one call in order to escape parts of the data that could be confused with the SQL.
sanitize all data read from the database so as to strip out anything that might be harmful if the database has been tampered with (if it hasn't been tampered with then there shouldn't be anything harmful in there)
Of these the most important step is the first one - VALIDATION
This topic is now closed. New replies are no longer allowed.