{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 地球回转人心会变 的问题《mysql_real_escape_string() for $_SESSION variables》','https://www.manongdao.com/q-1358476.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Should I use the mysql_real_escape_string() function in my MySQL queries for $_SESSION variables? Theoretically, the $_SESSION variables can't be modified by the end-user unlike $_GET or $_POST variables right?
Thanks :)
相关问题
- Views base64 encoded blob in HTML with PHP
- Laravel Option Select - Default Issue
- PHP Recursively File Folder Scan Sorted by Modific
- Can php detect if javascript is on or not?
- Using similar_text and strpos together
Regardless of whether the user can modify the data, you probably want to escape it anyway in case you ever need the data to contain characters that would break the SQL (quotes, etc).
Better yet, use bound parameters and you won't have to worry about it.
No, but the data must have come from somewhere.
You should escape any output from PHP, using the appopriate method for the destination at the point at which it leaves PHP.
C.
Do not escape/quote/encode text until you're at the point where you need it. Internal representations should be as "raw" as possible.
You can answer the question yourself by following this line of reasoning:
Did the value in $_SESSION originate from user input?
If so, has it been sanitized already?