PleaseAnswerMeYahoo
New member
Hey there. I happen to use queries a lot and was reading you needed protection from sql injections. But I wounder, do I need it when using isset($_GET['some-page']?
Users on my website use links and $_GET to show a profile. Should I use mysql_real_escape_string() when just selecting stuff or how does it work?
That maybe was two questions in one, I don't really know but here is an example:
$sql = "SELECT * FROM members WHERE user = '{$_GET['show']}'";
mysql_query("UPDATE members SET views=views+1 WHERE user='{$_GET['show']}'");
$result = mysql_query($sql); //Query
while($row= mysql_fetch_array($result)) {
echo $rad['info'];
}
Or should it looks like this:
echo mysql_real_escape_string($rad['description']);
So can anyone explains where I should put this to protect from sql injections? Thanks a lot, sorry if it's all blurry. There may be some syntax errors, and I got the extra line for views update in case if it needs mysql_real_escape_string() or anything.
Users on my website use links and $_GET to show a profile. Should I use mysql_real_escape_string() when just selecting stuff or how does it work?
That maybe was two questions in one, I don't really know but here is an example:
$sql = "SELECT * FROM members WHERE user = '{$_GET['show']}'";
mysql_query("UPDATE members SET views=views+1 WHERE user='{$_GET['show']}'");
$result = mysql_query($sql); //Query
while($row= mysql_fetch_array($result)) {
echo $rad['info'];
}
Or should it looks like this:
echo mysql_real_escape_string($rad['description']);
So can anyone explains where I should put this to protect from sql injections? Thanks a lot, sorry if it's all blurry. There may be some syntax errors, and I got the extra line for views update in case if it needs mysql_real_escape_string() or anything.