Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I used mysql_real_escape_string() to prevent sql injection for the $field variable below. Should I use the same for $_SESSION[‘user_id’]?
I can’t imagine someone being able to change a value in the $_SESSION array. Can they?
$query = "SELECT `".mysql_real_escape_string($field)."` FROM `users` WHERE `id`='".$_SESSION['user_id']."'";
They can’t change the
$_SESSIONarray, but your problem totally depends on how you initialized$_SESSION['id']. In a general way, you should always escape values in a SQL query. Don’t try to guess whether or not values can be modified from an user input, just escape them.