Yes, you need to escape all input before doing select or insert. However, the database has helper functions to help you do it, you don't need to be calling mysql_real_escape_string() directly. -Chad
On Mon, May 11, 2009 at 1:37 PM, Jan Luca <[email protected]> wrote: > I mean when I use the DB class(Database::select an Database:insert). > > -----Ursprüngliche Nachricht----- > Von: [email protected] > [mailto:[email protected]] Im Auftrag von Brion Vibber > Gesendet: Montag, 11. Mai 2009 19:06 > An: Wikimedia developers > Betreff: Re: [Wikitech-l] Is mysql_real_escape_string needed? > > El 5/11/09 9:50 PM, Jan Luca escribió: >> should I use mysql_real_escape_string or do the DB class this > automatically? > > Generally you should be using the database wrapper functions, which in > most cases will do escaping when generating queries. See docs: > > http://www.mediawiki.org/wiki/Manual:Database_access > > When you do manually generate some SQL you might need to quote manually, > in which case you should use the addQuotes() or strencode() methods on > your database access rather than using MySQL functions directly, since > we support PostgreSQL and (in theory) other DB backends as well. > > -- brion > > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
