There is nothing wrong with my code, but I just cant help but wonder,

Question

0

Asked: May 30, 20262026-05-30T15:04:17+00:00 2026-05-30T15:04:17+00:00

There is nothing wrong with my code, but I just cant help but wonder,

0

There is nothing wrong with my code, but I just cant help but wonder, should I wrap the $key with mysql_real_escape_string? This is just part of my Database function which is mainly used to pull data out of the database with table name and $where as arguments to the function. $where is to be an associative array with keys being column name, and values being the data.

This is what processes the $where array. Before this I have $sql = ‘select * from ‘ . $table;

if(!empty($where)){
        $where_count = count($where);

        $sql .= ' WHERE ';

        foreach($where as $key => $value){

            $split_key = explode(' ', $key);

            if(count($split_key) > 1){
                $sql .= $key[0] . ' ' . $key[1] . ' "' . mysql_real_escape_string($value) . '" ';
            } else {
                $sql .= $key . ' = "' . mysql_real_escape_string($value) . '" ';
            }
        }
    }

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-30T15:04:18+00:00

Editorial Team

2026-05-30T15:04:18+00:00Added an answer on May 30, 2026 at 3:04 pm

Filter ANY INPUT from the user that is going to be placed in your query. No doubt!
So if the keys are supplied by the user, YES and if they are generated in a safe manner, NO.

Take a look at SQL Injection to understand why filtering must be done.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

There is nothing wrong with my code, but I just cant help but wonder,

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply