3

Do I have to use mysql_real_escape_string for every query or just when there are user inputs on the page?

Let's say I have:

$check = mysql_query ("SELECT * FROM users WHERE user='$user' AND pm='$on'");
    $numrows_check = mysql_num_rows($check);
                if ($numrows_check == 1) {

Do I have to worry about SQL injections here if the page has no user inputs?

P.S. I know pdo and mysqli, I'm asking specifically for mysql. Thanks.

Lori
  • 1,392
  • 1
  • 21
  • 29
Saul Tigh
  • 177
  • 8
  • I would like to add that - besides the fact that [mysql_* functions are deprecated](http://stackoverflow.com/q/12859942/4577762) - `mysqli` and/or `pdo` still need prepared statements and parameterized queries to [prevent sql injection](http://stackoverflow.com/q/60174/4577762). – FirstOne Mar 12 '16 at 14:47
  • 1
    Yeah, [you can **NOT** mix APIs](http://stackoverflow.com/questions/17498216/can-i-mix-mysql-apis-in-php) :\ ... – FirstOne Mar 15 '16 at 18:34
  • 1
    What you could do is double the work for a transition.. Something like creating a connection with `PDO` and update part by part of the project until you end up with `PDO` only. This is just a thought, I've never done anything like that and if you are really going to, do it at your own risk. Make sure you are able to update a complete part so that it uses only `PDO`. Don't forget to backup your stuff and maybe use some version control... Anyways, best of luck :D – FirstOne Mar 15 '16 at 18:40

1 Answers1

1

SQL injection can be inject using form and also using links. It means whenever there is input form the user then you have to you mysq_real_escape_string()

How injection can inject using link. and example is given below.

http:///www.mysite.com?delete.php?id=5

if URL like this is shown and some one can change this "5" to his/her desired value. so there are several method to avoid this type of injection a simple solution is that you can use intval().

so it is necessary to use all convention to each and every vulnerable point. so you can be safe form injection. so Prevention is better than cure.

Hamza Zafeer
  • 2,360
  • 13
  • 30
  • 42
  • so in other words, whenever I have GET_ on a page, I must escape all queries that are associated with it? – Saul Tigh Mar 13 '16 at 01:26