PHP SESSIONS Question

When a user lo开发者_如何学运维gs in should I sanitize there logged in $_SESSION['user_id'] user id or not? for example, like in the following code below.

mysqli_real_escape_string($mysqli, htmlentities(strip_tags($_SESSION['user_id'])));

Session data is stored server-side, so it should be sanitized before being added to $_SESSION in the first place.

You could always use session_id() instead which should work.

not really an security expert but you could cast it anyway (int) $_SESSION['user_id']

You have absolute control over what you put in $_SESSION, so there are some types of sanitation checks that should be done prior to put the the values in $_SESSION (e.g., did the user submit an array, is it longer than what's permitted, etc.).

However, of you're asking if you should escape the strings before passing them to the database, the answer is yes (a user name that's valid may or may not contain the character ', for instance). Better yet, use prepared statements if possible.