This question already has an answer here:
I'm using sha1 to encrypt it. Should I mysql_real_escape_string() as well, or is encrypting it enough?
</div>
This question already has an answer here:
I'm using sha1 to encrypt it. Should I mysql_real_escape_string() as well, or is encrypting it enough?
</div>
Technically speaking, the output from sha1
will always be a hex-string, so you wouldn't need to escape it.
However: The answer to this question is always the same: escape the values. If it comes from a hard-coded variable 2 lines before your SQL, escape it. Always. Escape. Period. There are SO many other things to worry about optimizing.
Parameterized queries and PDO are always the best option, however
Second note: sha1
and md5
aren't the most secure for passwords. If you're not too far in, consider another solution such as blowfish