Is mysql_real_escape_string needed when using active record queries?
Development and Programming
Maybe a dumb question, but…do I need to run mysql_real_escape_string on user input before running it through something like:
$data = array(
'group_id' => 7,
'username' => '',
'screen_name' => $author
);
$this->EE->db->insert ( 'exp_members', $data );I believe Active Record already escapes data, but I wasn’t able to find a definitive answer. I ask because I’m running mysql_real_escape_string on $author, and I end up with slashes before single quotes.
Thanks, a fried mind greatly appreciates it.
Edit: I just realized this might not be the best forum for my question. Apologies in advance. :shut:
Moved to Development and Programming by Moderator
Hi, Ryan. Let me move this for you to the Developer forum. 😊
Hi Sue,
With a refreshed mind, I was able to find an answer. From the user guide:
Beyond simplicity, a major benefit to using the Active Record features is that it allows you to create database independent applications, since the query syntax is generated by each database adapter. It also allows for safer queries, since the values are escaped automatically by the system.
So, it is not necessary to use mysql_real_escape_string with AR queries, since you’ll double escape data.