How much safe is an input after passing through this function?
Is it 100% safe?
$id = $_POST['id'];
$id = mysql_real_escape_string($id);
How much safe is an input after passing through this function?
Is it 100% safe?
$id = $_POST['id'];
$id = mysql_real_escape_string($id);
The best way is not mixing SQL with user-provided data at all by using prepared statements.
In your case (assuming id
is a number), simply use $id = intval($_POST['id']);
. With a plain integer you cannot inject anything. You don't even need mysql_real_escape_string()
n that case.
For string arguments, using mysql_real_escape_string()
is sufficient - but never forget to single-quote the argument in the SQL string!