Is mysql_real_escape_string() with sprintf needed only at login page or at every mysql_query after login, for preventing SQL injection?
4 Answers
You should use mysql_real_escape_string() every time you insert user-posted data into a query, or use a database wrapper like PDO that can do prepared statements. That would be better, because they do the job of sanitizing for you.
If you are working on the overall security of your site, this is great and definitely necessary. If you are looking for reasons why your site was hacked, though, I doubt this was done through a SQL injection, as your actual HTML code was affected (or so I thought, I may be wrong). This would be only possible if you had your FTP password stored somewhere in the database.
Comments
You should use mysql_real_escape_string for any user supplied data that is going to be ran through an SQL query.
2 Comments
Madara's Ghost
More likely, you shouldn't be using
mysql_* at all.
JadziaMD
This is true as of today, not so much two years ago. :D
Use it when you do not trust the input. And never trust a user input.
Comments
In any instance that you accept user input, you should use mysqli_real_escape_string on it before sending it to the database. It is a good idea to use trim() on the input as well.
1 Comment
Gaʀʀʏ
I take it the -1 was for recommending mysql_real_escape_string. Fixed
mysql_*functions in new code. They were removed from PHP 7.0.0 in 2015. Instead, use prepared statements via PDO or MySQLi. See Why shouldn't I use mysql_* functions in PHP? for more information.