What's the difference?

fr600

Can anyone please explain me the difference between:

mysql_query("SELECT * FROM users WHERE name = $_POST[username]");

and

mysql_query("SELECT * FROM users WHERE name = " . sqlesc($username) . "");

Thanks

devinemke

as a practical matter, no one can tell you the difference until you tell us what your sqlesc() function does?

fr600

I'm writing a script which is quite like this:

switch($action)
{
default:
echo "<form method=post action=thispage.php>";
echo "<input name=action type=hidden value=form2>";
echo "<input type=text name='username'>";
echo "<input type=submit value=Continue>";
echo "</form>";
break;

case "form2":
// Here I can use either
mysql_query("SELECT * FROM users WHERE name = $_POST[username]");
// or
mysql_query("SELECT * FROM users WHERE name = " . sqlesc($username) . "");
// but they both give the same result
break;
}

I want to know if there is any dirrerence between the two (security wise) and which one is better to use in this case?

thorpe

as already stated. what does the function sqlesc do?

fr600

Well I guess it is used only to select the username from the database. But the thing is I'm taking help from another php script which uses sqlesc($username) in the same case where I've always used $_POST[username] (as shown above). So I was wondering what could be the difference because I've never used sqlesc.

devinemke

fr600 wrote:
So I was wondering what could be the difference because I've never used sqlesc.

neither have we. that's why we keep asking what it does. without knowing what your sqlesc() function does it's really not possible to answer your question. judging by the name of the function, i would just guess that it escapes quotes, along the lines of [man]addslashes[/man]. but again, that is just a guess without seeing your code.

xblue

fr600,

the first query uses data the user submitted without any validation (e.g. making sure it does not contain special characters). It is likely to fail even with expected input, say if fr600 was submitted, because of missing quotes.

The latter uses a function that must be defined somewhere in your script (or in a script that this one includes). However if you have not written it and don't know what it does, you cannot be sure it is more secure.

BTW $username is no short form of $_POST['username'] anymore unless register globals are on.