mysql_real_escape_string() for $_SESSION variables necessary?

Question

Should I use the mysql_real_escape_string() function in my MySQL queries for $_SESSION variables? Theoretically, the $_SESSION variables can't be modified by the end-user unlike $_GET or $_POST variables right?

Thanks :)

Answer 1

Regardless of whether the user can modify the data, you probably want to escape it anyway in case you ever need the data to contain characters that would break the SQL (quotes, etc).

Better yet, use bound parameters and you won't have to worry about it.

Answer 2

Do not escape/quote/encode text until you're at the point where you need it. Internal representations should be as "raw" as possible.

Answer 3

You can answer the question yourself by following this line of reasoning:

Did the value in $_SESSION originate from user input?

If so, has it been sanitized already?

Answer 4

Theoretically, the $_SESSION variables can't be modified by the end-user

No, but the data must have come from somewhere.

You should escape any output from PHP, using the appopriate method for the destination at the point at which it leaves PHP.

C.