问题
Should I use the mysql_real_escape_string() function in my MySQL queries for $_SESSION variables? Theoretically, the $_SESSION variables can't be modified by the end-user unlike $_GET or $_POST variables right?
Thanks :)
回答1:
Regardless of whether the user can modify the data, you probably want to escape it anyway in case you ever need the data to contain characters that would break the SQL (quotes, etc).
Better yet, use bound parameters and you won't have to worry about it.
回答2:
Do not escape/quote/encode text until you're at the point where you need it. Internal representations should be as "raw" as possible.
回答3:
You can answer the question yourself by following this line of reasoning:
Did the value in $_SESSION originate from user input?
If so, has it been sanitized already?
回答4:
Theoretically, the $_SESSION variables can't be modified by the end-user
No, but the data must have come from somewhere.
You should escape any output from PHP, using the appopriate method for the destination at the point at which it leaves PHP.
C.
来源:https://stackoverflow.com/questions/2122522/mysql-real-escape-string-for-session-variables-necessary