View Full Version : problem inserting $_SESSION data that contains a '

04-14-2011, 05:50 PM
without having to create a new variable for each of the SESSION variables how should I change the following example to securly insert data?

the $requestID and $datetime_added were already made safe using mysql_real_escape_string, it is the session data that I am not sure about.

$addRequest = mysql_query("INSERT INTO requests (`request_id`, `datetime_added`, `customer_name`, `customer_email`) VALUES ('$requestID', '$datetime_added', '{$_SESSION['customerName']}', '{$_SESSION['customerEmail']}')");

just tried to use a foreach on each SESSION variable but this causes problems with other session variables not to used in the storing of data in mysql and there are to many to filter out, and to many session variable to create a new variable ($variablename) for each.

04-14-2011, 07:13 PM
Why not use mysql_real_escape_string on the session variables also? IMO - It should be done to all variables before they are inserted just to add an extra layer of security, even if they were previously stored in the database.

04-18-2011, 08:03 AM
Either you need to do like munkeyboy said, and escape the variables before passing it into the query by either doing it inline, or creating a new variable.

Or you can validate each variable before executing the query by checking if a lone single quote(') without an escape(\) is in the string (if you are enclosing the string in single quotes).

Though really you should be validating each user input before you pass it into the SESSION variables, and still escaping it before putting it into the query.