Quote:
Originally Posted by kishou
Thx. but im just wondering when should i use the $username instead of $_POST["username"]? like when im inserting it into the database? because im just starting to learn about SQL injection.
|
In my original reply, I said: "
You only need to use mysql_real_escape_string to quote a string for use in a query."
Just so that we're clear, $username contains the escaped version of $_POST['username'], which is returned by mysql_real_escape_string in your code.
Whether you want to insert a string, update it, select with it, anything... if the contents of a variable (like $_POST['username']) need to go into a query/statement as a string, then you need to escape it.
Read the PHP manual page for mysql_real_escape_string on php.net. It goes over what the function is for, provides examples, and has some very important security information.