0

I have the following code:

$username = $_SESSION['username'];      
$query = ("SELECT id FROM users WHERE username = '$username'");
$result = mysql_query($query) or die (mysql_error());
$row = mysql_fetch_row($result);
$user_id = $row[0];

Where should I apply mysql_real_escape_string here? Would $user_id = mysql_real_escape_string($row[0]); work?

I know that MySQL should be left in the past. I'll move to MySQLi soon enough.

4

1 回答 1

0

do this in first line: 

$username = mysql_real_escape_string($_SESSION['username']);

and change query to this:

$query = ("SELECT id FROM users WHERE username = '".$username."'");
于 2013-10-17T08:49:06.137 回答