Do I have to use mysql_real_escape_string for every query or just when there are user inputs on the page?
Let's say I have:
$check = mysql_query ("SELECT * FROM users WHERE user='$user' AND pm='$on'");
$numrows_check = mysql_num_rows($check);
if ($numrows_check == 1) {
Do I have to worry about SQL injections here if the page has no user inputs?
P.S.
I know pdo and mysqli, I'm asking specifically for mysql. Thanks.
SQL injection can be inject using form and also using links. It means whenever there is input form the user then you have to you mysq_real_escape_string()
How injection can inject using link. and example is given below.
http:///www.mysite.com?delete.php?id=5
if URL like this is shown and some one can change this "5" to his/her desired value. so there are several method to avoid this type of injection a simple solution is that you can use intval().
so it is necessary to use all convention to each and every vulnerable point. so you can be safe form injection. so Prevention is better than cure.
mysqliand/orpdostill need prepared statements and parameterized queries to prevent sql injection.PDOand update part by part of the project until you end up withPDOonly. This is just a thought, I've never done anything like that and if you are really going to, do it at your own risk. Make sure you are able to update a complete part so that it uses onlyPDO. Don't forget to backup your stuff and maybe use some version control... Anyways, best of luck :D