Yes, you need to escape all input before doing select or insert.
However, the database has helper functions to help you do it, you
don't need to be calling mysql_real_escape_string() directly.
-Chad
On Mon, May 11, 2009 at 1:37 PM, Jan Luca <jan(a)jans-seite.de> wrote:
I mean when I use the DB class(Database::select an
Database:insert).
-----Ursprüngliche Nachricht-----
Von: wikitech-l-bounces(a)lists.wikimedia.org
[mailto:wikitech-l-bounces@lists.wikimedia.org] Im Auftrag von Brion Vibber
Gesendet: Montag, 11. Mai 2009 19:06
An: Wikimedia developers
Betreff: Re: [Wikitech-l] Is mysql_real_escape_string needed?
El 5/11/09 9:50 PM, Jan Luca escribió:
should I use mysql_real_escape_string or do the
DB class this
automatically?
Generally you should be using the database wrapper functions, which in
most cases will do escaping when generating queries. See docs:
http://www.mediawiki.org/wiki/Manual:Database_access
When you do manually generate some SQL you might need to quote manually,
in which case you should use the addQuotes() or strencode() methods on
your database access rather than using MySQL functions directly, since
we support PostgreSQL and (in theory) other DB backends as well.
-- brion
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l