Does $_SESSION['username'] need to be escaped before getting into an SQL query?

Question

I am wondering if anything from the $_SESSION array needs to be escaped before I use it in a SQL query.

Note that I don\'t use cookies in my application, since I\'ve hea

Answer 1

On the assumption that there are yet to be revealed exploits in PHP, everything should be escaped using prepared statements or mysql_real_escape_string before you allow anything to touch your database.

Data stored in $_SESSION is not always clean. For multi page forms you may store user input in $_SESSION until the final page when you write it all into the database. If you get into any kind of habit of thinking $_SESSION is "clean" you will eventually get yourself in trouble.

You should absolutely get into the habit of assuming every piece of data in your system is dirty until you have escaped it. Note, if you are using dynamic table names, escaping doesn't help you. Never use table or column names in a query that have ever gone anywhere near a user. The various escaping mechanisms don't escape backticks. If you have a prepared query of say:

"SELECT * FROM `:aTable`;"

and aTable comes from a user, a user that enters something like

` WHERE id IN (DELETE FROM user);

has potentially just deleted all your user records.