I'm building a neat website for my friend, and I noticed that the site escaped the input from textboxes, textareas, etc. automatically.
Does this mean that I don't have to add mysql_real_escape_string when I want to insert the data in my mysql database and I can just leave it as it is?
Or is this a potential security risk?
分享 It does not really matter where the escaping took place, be it, when the form was being posted, or when the actual query to database was being made. mysql_* functions is in the process of being deprecated, and should no longer be in operation.
If you want neat, secure website. Learn to use either the mysql_i (i is for "improved") or better yet, the database agnostic interface called PDO interface. Both, will give you the neatness you need, and additional security boost.
You can get a tutorial for PDO here
and for Mysqli here
分享
