Menu
I used mysql_real_escape_string() to prevent sql injection for the $field variable below. Should I use the same for $_SESSION['user_id']?
I can't imagine someone being able to change a value in the $_SESSION array. Can they?
$query = "SELECT `".mysql_real_escape_string($field)."` FROM `users` WHERE `id`='".$_SESSION['user_id']."'";
965
They can't change the $_SESSION array, but your problem totally depends on how you initialized $_SESSION['id']. In a general way, you should always escape values in a SQL query. Don't try to guess whether or not values can be modified from an user input, just escape them.
171
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
