1

There is nothing wrong with my code, but I just cant help but wonder, should I wrap the $key with mysql_real_escape_string? This is just part of my Database function which is mainly used to pull data out of the database with table name and $where as arguments to the function. $where is to be an associative array with keys being column name, and values being the data.

This is what processes the $where array. Before this I have $sql = 'select * from ' . $table;

if(!empty($where)){
        $where_count = count($where);

        $sql .= ' WHERE ';

        foreach($where as $key => $value){

            $split_key = explode(' ', $key);

            if(count($split_key) > 1){
                $sql .= $key[0] . ' ' . $key[1] . ' "' . mysql_real_escape_string($value) . '" ';
            } else {
                $sql .= $key . ' = "' . mysql_real_escape_string($value) . '" ';
            }
        }
    }
Improve this question

3 Answers 3

Reset to default
1

Filter ANY INPUT from the user that is going to be placed in your query. No doubt!
So if the keys are supplied by the user, YES and if they are generated in a safe manner, NO.

Take a look at SQL Injection to understand why filtering must be done.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you. The Keys are being generated by me, so I suppose i dont need to.
1

I am not sure what is being asked here, but I can see one error:

$sql .= $key[0] . ' ' . $key[1] . ' "' . mysql_real_escape_string($value) . '" ';

should be

$sql .= $split_key[0] . ' ' . $split_key[1] . ' "' . mysql_real_escape_string($value) . '" ';
Improve this answer

1 Comment

Thanks :) I totally didnt see that.
1

If you really want to quote field names, use backticks.

See http://dev.mysql.com/doc/refman/5.6/en/identifiers.html

The following statement creates a table named a`b that contains a column named c"d:

CREATE TABLE `a``b` (`c"d` INT);
Improve this answer

1 Comment

Dont understand how this has to do with my question, but thanks anyways dude or dudette.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.