0

I have the following code:

$username = $_SESSION['username'];      
$query = ("SELECT id FROM users WHERE username = '$username'");
$result = mysql_query($query) or die (mysql_error());
$row = mysql_fetch_row($result);
$user_id = $row[0];

Where should I apply mysql_real_escape_string here? Would $user_id = mysql_real_escape_string($row[0]); work?

I know that MySQL should be left in the past. I'll move to MySQLi soon enough.

SporeDev
  • 608
  • 1
  • 8
  • 26
  • 3
    Nowhere. You ought to use prepared statements instead. – Your Common Sense Oct 17 '13 at 08:45
  • You want to apply it to potential user input, not your output – SubjectCurio Oct 17 '13 at 08:46
  • Ok. So I should use mysql_real_escape_string only for $_POST['something'], right? – SporeDev Oct 17 '13 at 08:48
  • 2
    Please note that all the `mysql_xxx()` functions in PHP are deprecated and have been considered obsolete for years. You really need to read [Why shouldn't I use mysql_* functions in PHP?](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). – Spudley Oct 17 '13 at 08:51
  • Great source of information! :) – SporeDev Oct 17 '13 at 08:55
  • @SporeDev not just for $_POST, **anything** that could potentially come from the user should be escaped, POST, GET, SESSION, COOKIE etc... as a rule of thumb, **never** trust any input coming from a user – SubjectCurio Oct 17 '13 at 10:33

1 Answers1

0

do this in first line: 

$username = mysql_real_escape_string($_SESSION['username']);

and change query to this:

$query = ("SELECT id FROM users WHERE username = '".$username."'");
Adam
  • 1,371
  • 2
  • 11
  • 12