NYCPHP Meetup

NYPHP.org

[nycphp-talk] mysql_real_escape_string

Brian Dailey support at dailytechnology.net
Tue Oct 31 15:46:00 EST 2006 

So are their any real tangible advantages to mysql_real_escape_string as 
opposed to addslashes?

-Brian

Rob Marscher wrote:
> A side note here about mysql_real_escape_string - curious if anyone is 
> an expert on this...  In that last year, I switched over from using 
> addslashes to using mysql_real_escape_string to escape strings in sql 
> statements because it's the 'right thing to do.'
> 
> I'm currently reading "Building Scalable Web Sites" by Cal Henderson 
> (which I think is great so far for anyone making large [or potentially 
> large] web apps).  In the section about avoiding sql injection attacks, 
> he says "the more complicated mysql_real_escape_string escapes a bunch 
> more characters but is ultimately unnecessary (although useful for 
> making logs easier to read)."  I thought that was interesting - 
> "ultimately unnecessary."
> 
> Although I guess this argument will be moot as soon as people move to 
> php 5/mysql 5, as prepared statements seem to be the way to go there.
> 
> -Rob
> 
> csnyder wrote:
>> On 10/30/06, tuon1 at netzero.net <tuon1 at netzero.net> wrote:
>>   
>>> [...]
>>>         //Add new customer to database
>>>         function AddNewCustomer($FirstName, $LastName, $Address,
>>>                                 $City, $State, $ZipCode,
>>>                                 $AreaCode, $Phone, $Email,
>>>                                 $WebsiteURL, $LoginName, $Password
>>>                                )
>>>            {
>>>                 $query = 'INSERT INTO Customer_Info (FirstNameCol,
>>>            LastNameCol, AddressCol, CityCol, StateCol,
>>>                                 ZipCodeCol, AreaCodeCol, PhoneCol,
>>>                                 EmailCol, WebsiteURLCol,
>>>            LoginNameCol, PasswordCol
>>>                                )
>>>     VALUES ("'. $FirstName . '", "' . $LastName . '",
>>>                      "' . $Address . '", "' . $City . '",
>>>       "' . $State . '", "' . $ZipCode . '",
>>>       "' . $AreaCode . '", "' . $Phone . '",
>>>       "' . $Email . '",
>>>       "' . $WebsiteURL . '", "' . $LoginName . '",
>>>                      "' . SHA1($Password) . '")';
>>>   }
>>>
>>> Feel free to correct my code and give suggestions for better techniques.
>>>
>>>     
>> Hi Paul,
>>
>> You always need to escape each of the user submitted values in your
>> SQL, in order to prevent breakage and security vulnerabilities. The
>> mysql_real_escape_string() function is the recommended way to do this.
>>
>> function dbEsc( $value ) {
>>   return mysql_real_escape_string( $value );
>> }
>>
>> function AddNewCustomer( $FirstName ) {
>>   $query = 'INSERT INTO Customer_Info ( FirstNameCol )
>>                              VALUES ("'. dbEsc($FirstName) . '")';
>>   return mysql_query($query);
>> }
>>
>> This is one of the two fundamental rules of secure web programming
>> with php (the other being that you always escape output values using
>> htmlentities()).
>>
>>   
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> 
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
> 
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
> 
>

More information about the talk mailing list