Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Normally I do this for all my user inputs both strings and numerical inputs:
$matric_no = mysql_real_escape_string ($_POST['matric_no']);
And I use the parameter on the LHS to get the required value either to work on or post into mysql. Is this practice enough security wise? Is it a good practice?
Thanks for your help..
As long as all of your variables being inserted into the query are enclosed in quotes and escaped using
mysql_real_escape_string(), you should be okay.If possible, I recommend using the Mysqli extension instead of the obsolete Mysql extension. If you do, then you can make use of parameter binding, and be 100% sure that your queries are safe from injection (as long as you bind all parameters, that is).