tags:

views:

50

answers:

2
Q: 

Do I need to use mysql_real_escape_string on database data for re-insert?

Hello and thanks in advance.

I am retrieving data from the db. The data already went through mysql_real_escape_string when it was added to the db.

Once retrieved I am comparing it to a raw variable and depending upon the result I may be re-inserting the original db data back into the db into another, different, field.

My question is, do I have to use mysql_real_escape_string on this data I got from the database?

I think yes as the data could contain characters that need to be escaped and I think the backslashes are not stored in the db.

My code is:

if(isset($row['location_uri']) && $row['location_uri'] != $location_uri)
    {
    $session_previous_page = $row['previous_page_uri'];
    }
else
    {
    $session_previous_page = $row['location_uri'];
    }

Also, should I do anything with the db data before I compare it to the raw data, say from $_SERVER['REQUEST_URI']?

thanks for any help you can give.

+1  A: 

Yes. You answered your own question - because special characters are converted on read, you need to re-escape them on write.

I am not sure your exact question regarding $_SERVER['REQUEST_URI']. But if you should never trust these variables. So if you are comparing it in a DB query, at the least, I suggest escaping it.

Jason McCreary  2010-07-12 16:14:35
thank you. I mean, I am comparing the $_Server['REQUEST_URI'] to the one stored in the database. So since it is coming out of the database as it is meant to appear, i.e. no backslashes, then I think it is ok to compare the db version with the $_Server['REQUEST_URI'] version.
k22k  2010-07-12 16:21:04
If you are injecting the value into your query I still suggest escaping it. You should never trust anything - even values from `$_SERVER`.
Jason McCreary  2010-07-12 16:35:10
oh I will do that of course. But I am worried that when I am comparing the 2 variables, there might be a problem that they don't match. I want to compare at php level the 2 variables, one from db and other from say $_Server.
k22k  2010-07-12 16:40:46
+3  A: 

You should re-apply it. The escaping functions put in slashes, etc. so it is valid SQL syntax. Those slashes aren't actually stored in the database.

Patrick  2010-07-12 16:14:47
thank you. I figured as much but wanted to be sure.
k22k  2010-07-12 16:16:41

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL