I am trying to store a randomly generated salt in my database with SQL. I have generated this salt in php using this line of code:
$salt = mysqli_real_escape_string($this->connection, mcrypt_create_iv(256, MCRYPT_DEV_URANDOM));
As I understand it all strings must be escaped regardless of whether they are derived from user input as my random salt could also have special characters which interfere with SQL regardless of whether they are intentionally malicious? As I also understand to escape the string PHP needs to add extra characters thereby increasing the length of the string. I was wondering what the maximum length of the string would be post-escaping? Is it that only one character is added for each infringing character in the string therefore the maximum length of the string is 512 for my 256 character string?
Thanks
Don't escape. Use bind parameters instead.
That aside, the size that counts is the unescaped value. Escaping is only to make it safe for the parser to read the string. The actual string value is still the same size (and will be handled in unescaped form by the MySQL engine). Escaping is just a way to safely embed a value in the query.