I’m trying to secure my script a bit after some suggestions in the last question I asked.
Do I need to secure things like $row['page_name'] with the mysql_real_escape_string function? example:
$pagename = mysql_real_escape_string($row['page_name']);
I’m asking mainly because when I do secure every row I get some errors like when trying number_format() it throws number_format() expects parameter 1 to be double, string given while when it is not secured with mysql_real_escape_string it works.
Can someone clear this for me? Do I only need to secure COOKIE‘s or the row fetches too?
I got the suggestion in this post: HERE (look at the selected answer)
You’re doing it backwards. Presumably
$rowis a row coming out of the database. You don’tmysql_real_escape_stringon the way out of the database, you use it on data going into the database to prevent SQL injection. It prevents people from submitting data that contains executable SQL code.Once the data is safely in the database, you’re done with
mysql_real_escape_string(until you attempt to update that data). User data coming out of the database needs to be run throughhtmlspecialcharsbefore it hits the page to prevent script injection.Basically, on the way to the database, just before your insert/update runs, you need to escape potentially executable SQL. On the way to the browser, just before strings leave your app for the browser, you need to escape potentially executable JavaScript and/or interpretable HTML. Escaping should be the last thing you do with a piece of data before it leaves your app for either the browser or database.