Hi Guys. Ok I know that "mysql_real_escape_string" is supposed to protect site against SQL injections by stripping tags and all, but here is what I don't understand, Is it the same with using the above function when declaring variables ex. : $username = [COLOR=#111111]mysql_real_escape_string($_POST['username']); Code (markup): or [/COLOR]VALUES ( '".mysql_real_escape_string($vf_title)."', Code (markup): And, what is the difference btween mysql_real_escape_string and mysqli_real_escape_string with the 'i' after mysql ?? And last: is this code safe, for a login page? if I am using mysql_real_escape_string for the username and password when declaring them? [/COLOR]$check_login = "SELECT * FROM el_users WHERE el_username = '$username' AND el_password = '$passwordMd' "; Code (markup): thanks in advance
You can use mysql_real_escape_string in the declaration of a variable, and then input the variable; or you can use as part of the MySQL statement (it makes no difference).