mysql_escape_string question

Question

Hi,

Just a quick query really, In my PHP file, I have variables coming from my HTML form, like so:

$companyName = mysql_escape_string($_POST['compName']);
$AddLine1 = mysql_escape_string($_POST['add']);
$AddLine2 = mysql_escape_string($_POST['add1']);            
$AddLine3 = mysql_escape_string($_POST['add2']);

Throughout this script, I do a few select, insert statements with mysql. What I'm wondering is, is it okay to just use the mysql_escape_string once like above, or do I need to do it every time I use the variable?

Probably a really simple (or silly) question but I said I'd ask anyway.

Answer 1

Once is sufficient, $AddLine1-3 now holds "Safe" values

Answer 2

Yes, it is enough to do it once. Plus, if $_POST['val'] should be integer, you can do (int) $_POST['val'] and it will be totally safe too.

Answer 3

You you working with standart php functions so you can use mysql_escape_string only then you need work with database queries.

Answer 4

You might want to check out PHP.NET. They state that:

mysql_escape_string

has been depricated and should be replaced with :

mysql_real_escape_string()

Reference:

http://php.net/manual/en/function.mysql-escape-string.php