1

Is this the right way to use mysql_real_escape_string? I was using $GET but a friend told me to make it safer with real_escape_string:

$id = intval($_GET['id']);

$result = mysql_query("SELECT * 
                         FROM products 
                        WHERE id = $id") or die("err0r");

if(!$result) mysql_real_escape_string($id); {
Improve this question
1
  • forget about mysql_real_escape_string and just use parameterized queries. Commented May 12, 2011 at 23:38

5 Answers 5

Reset to default
6

No, you normally use mysql_real_escape_string to prepare variables for use in a query, but in your case:

  1. you already use intval;
  2. you use it in the wrong place.

You don't need it in your example.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Okay so mysql_real_escape_string is totally unnecessary unless it's a string? When the id's are numbers, intval does the trick?
2

No. That is entirely wrong, and I can't quite understand what you're intending the call to do.

The purpose of mysql_real_escape_string is to avoid SQL injection, which is one of the biggest security risks in a website. It stops your users giving input that manipulates the SQL in evil ways. For instance:

$sql = "SELECT FROM users WHERE username = '" . $_GET['username'] . "'";

If I put lonesomeday' or 'a' = 'a into $_GET['username'], your query becomes

SELECT FROM users WHERE username = 'lonesomeday' or 'a' = 'a'

and obviously arbitrary SQL could then be executed. mysql_real_escape_string escapes unsafe characters (such as ' in that example), so that they can't be used in this way. 

$sql = "SELECT FROM users WHERE username = '" . mysql_real_escape_string($_GET['username']) . "'";
// SELECT FROM users WHERE username = 'lonesomeday\' or \'a\' = \'a'

The quotes are now escaped. so the query can't be manipulated into doing evil things.

With all that said, in this case, intval does all you need. It also ensures that nothing that is not an integer can be in $id, so your code is safe here from SQL injection.

Improve this answer

1 Comment

the purpose of mysql_real_escape_string is to conform the input with MySQL DB special characters, and the the fact that someone could tweak the query by injecting the prepared statement is the consequence of an 'evil mind' ,) +1 for the noting this.
1

NO, you need to escape before quering

$id = intval($_GET['id']);

$result = mysql_query("SELECT * 
                         FROM products 
                        WHERE id = '" . mysql_real_escape_string($id) . "'") or die("err0r");

if(!$result) {
}
Improve this answer

Comments

1

Use:

$query = sprintf("SELECT * 
                    FROM products 
                   WHERE id = %d",
                  intval($_GET['id']));

$result = mysql_query($query) or die("err0r");

You use mysql_real_escape_string before the value is used in the query, otherwise you're not handling the SQL injection attack.

Improve this answer

Comments

1

you want to escape it before you stick it in a query (Before it interacts with DB so you don't get injections).

// check if your $_GET is not empty otherwise you 
// will run into "undefined variable"
if(!empty($_GET['id'])){
    $id = intval($_GET['id']);

    // to simplify you can escape here, 
    // or to be a bit more complex, you can escape in the query line.
    $id = mysql_real_escape_string($id); 

    $result = mysql_query("SELECT * 
                         FROM products 
                        WHERE id = '$id'") or die("err0r");
}
else
    print 'No ID';
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.