mysql_escape_string in php

Question

Just a quick query really, In my PHP file, I have variables coming from my HTML form, like so:

$companyName = mysql_escape_string($_POST['compName']);
$AddLine1 = mysql_escape_string($_POST['add']);
$AddLine2 = mysql_escape_string($_POST['add1']);            
$AddLine3 = mysql_escape_string($_POST['add2']);

Throughout this script, I do a few select, insert statements with mysql. What I'm wondering is, is it okay to just use the mysql_escape_string once like above, or do I need to do it every time I use the variable?

Probably a really simple (or silly) question but I said I'd ask anyway.

You can reuse your $companyName, $AddLine1, $AddLine2 etc. variables again further down your script, as those hold the escape user input. is this what you meant? — Greg K
– Greg K, Commented Sep 15, 2010 at 13:24

Kristoffer Sall-Storgaard · Accepted Answer · 2010-09-15 13:23:24Z

2

Once is sufficient, $AddLine1-3 now holds "Safe" values

answered Sep 15, 2010 at 13:23

Kristoffer Sall-Storgaard

10.7k5 gold badges39 silver badges46 bronze badges

Sign up to request clarification or add additional context in comments.

1 Comment

109221793 Over a year ago

That's great, thank you. I will accept this as the correct answer once I'm able to.

good_evening · Accepted Answer · 2010-09-15 13:25:26Z

1

Yes, it is enough to do it once. Plus, if $_POST['val'] should be integer, you can do (int) $_POST['val'] and it will be totally safe too.

answered Sep 15, 2010 at 13:25

good_evening

21.9k70 gold badges201 silver badges307 bronze badges

Comments

BenMorel · Accepted Answer · 2014-05-18 21:20:23Z

1

You might want to check out PHP.NET. They state that:

mysql_escape_string

has been deprecated and should be replaced with :

mysql_real_escape_string()

Reference:

http://php.net/manual/en/function.mysql-escape-string.php

edited May 18, 2014 at 21:20

BenMorel

37k52 gold badges208 silver badges339 bronze badges

answered Sep 15, 2010 at 13:27

Michael Eakins

4,1803 gold badges37 silver badges54 bronze badges

1 Comment

109221793 Over a year ago

@Maekins, thanks for that, I will check it out. Seems to be working fine so far anyway but good to know for the future!

Vaidas Zilionis · Accepted Answer · 2010-09-15 13:25:53Z

0

You you working with standart php functions so you can use mysql_escape_string only then you need work with database queries.

answered Sep 15, 2010 at 13:25

Vaidas Zilionis

9318 silver badges14 bronze badges

Collectives™ on Stack Overflow

mysql_escape_string in php

4 Answers 4

1 Comment

Comments

1 Comment

Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

4 Answers 4

1 Comment

Comments

1 Comment

Comments

Your Answer

Sign up or log in

Post as a guest

Related