When mysql_real_escape_string() is needed?

Is mysql_real_escape开发者_如何学JAVA_string() with sprintf needed only at login page or at every mysql_query after login, for preventing SQL injection?

You should use mysql_real_escape_string() every time you insert user-posted data into a query, or use a database wrapper like PDO that can do prepared statements. That would be better, because they do the job of sanitizing for you.

If you are working on the overall security of your site, this is great and definitely necessary. If you are looking for reasons why your site was hacked, though, I doubt this was done through a SQL injection, as your actual HTML code was affected (or so I thought, I may be wrong). This would be only possible if you had your FTP password stored somewhere in the database.

You should use mysql_real_escape_string for any user supplied data that is going to be ran through an SQL query.

Use it when you do not trust the input. And never trust a user input.

In any instance that you accept user input, you should use mysqli_real_escape_string on it before sending it to the database. It is a good idea to use trim() on the input as well.