Home/ Questions/Q 6581945
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T16:13:04+00:00

So I know about MySQL injection and always escape all my user input before

  • 0

So I know about MySQL injection and always escape all my user input before putting it in my database. However I was wondering, imagine a user tries to submit a query to inject, and I escape it. What if I then at a later moment take this value from the database, and use it in a query. Do I have to escape it again?

So: (sql::escape() contains my escape function)

$userinput = "'); DROP `table` --";
mysql_query("INSERT INTO `table` 
             (`foo`,`bar`) 
             VALUES 
             ('foobar','".sql::escape($userinput)."')");

// insert php/mysql to fetch `table`.`bar` into $output here

mysql_query("INSERT INTO `table2` 
            (`foo`,`bar`) 
            VALUES
            ('foobar','".$output."')");

Does MySQL automatically escape their output or something like that, or should I escape in the second query as well?

This is a testcase but this occurs in some other ways within my program and I’m wondering how tight the security has to be for cases like this.

EDIT

My escape function

static function escape($string){

    if(get_magic_quotes_gpc()) 
        $string = stripslashes($string); 

    return mysql_real_escape_string($string);

}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Does MySQL automatically escape their output or something like that, or should I escape in the second query as well?

    You need to escape in the second query as well. MySQL does not do any escaping on its output.

    Long answer: MySQL string escaping does not modify the string that is being inserted, it just makes sure it doesn’t do any harm in the current query. Any SQL injection attempt still remains in the data.

    • 0