This code for example won't escape the string of the comment for the database:
if ($_POST['comment']) {
$comment = mysql_real_escape_string(htmlentities($_POST['comment_txt']));
$comment_insert = mysql_query("UPDATE msgs SET msg='$comment' WHERE user='$username'")
or die;
}
but this one will:
if ($_POST['comment']) {
$comment_p = $_POST['comment_txt'];
$comment = mysql_real_escape_string(htmlentities($comment_p));
$comment_insert = mysql_query("UPDATE msgs SET msg='$comment' WHERE user='$username'")
or die;
}
Why? Why can't I just escape the $_POST value? Why do I have to define new $variable for $_POST to escape it? This is security vise. I will move to PDO at some point, but at the moment I'm stuck with old mysql API.