Question about MRES/general query optimization

[Seker]

So, I know security is incredibly important, so I've been attempting to read up on some things, and trying to affix some kind of security on any and all queries I type up, whether they're an obvious choice or not, for practice.

Take this example:

 

$csql = sprintf("SELECT u.userid,u.location,c.cityid,c.cityname FROM users u LEFT JOIN cities c ON u.location=c.cityid WHERE u.userid=$userid",mysql_real_escape_string($userid));
$cities = mysql_query($csql);
$c = mysql_fetch_array($cities);

 

Is this the correct way to go about using MRES? Or, am I way off?

Also wondering about the optimization side of things. When changing, say, the

u.*

You just add in the values you're going to use in your variable for the array, correct? (Per the example above)

I apologize in advance if this makes me sound absolutely retarded. But these are real questions I have, as I know, basically, nothing about security at the moment.

[rulerofzu]

For starters why the sprintf when your not actually then using formatting in the query.

[Seker]

For starters why the sprintf when your not actually then using formatting in the query.

I just caught that. Should be more like this, right?

$csql = sprintf("SELECT u.userid,u.location,c.cityid,c.cityname FROM users u LEFT JOIN cities c ON u.location=c.cityid WHERE u.userid=%s",mysql_real_escape_string($userid  ));
$cities = mysql_query($csql);
$c = mysql_fetch_array($cities);

[rulerofzu]

I would go read on sprintf and its formatting your incorrect there.

Also mres is used for strings not numbers which your query is dealing with. You would only need to filter the number.

[Lithium]

Just a small note to SRB's post, filter_var() was only introduced on PHP 5.2 so less than that it won't work! :)