NYCPHP Meetup

[nycphp-talk] mysql_real_escape_string WAS: Mysql question!

Rob Marscher rmarscher at beaffinitive.com
Tue Oct 31 17:37:16 EST 2006


Cool... I thought Chris might have something on this.  The previous 
chapter is all about unicode/utf-8 - why you should use it, how you make 
sure that your input is valid utf-8, etc... so maybe he was making the 
statement in that context where everything has already been converted to 
valid utf-8 (and the database uses utf-8 for its tables).
Thanks a lot!
-Rob

Carlos A Hoyos wrote:
>> I'm currently reading "Building Scalable Web Sites" by Cal Henderson
>> (which I think is great so far for anyone making large [or potentially
>> large] web apps).  In the section about avoiding sql injection attacks,
>> he says "the more complicated mysql_real_escape_string escapes a bunch
>> more characters but is ultimately unnecessary (although useful for
>> making logs easier to read)."  I thought that was interesting -
>> "ultimately unnecessary."
>>     
>
>
> mysql_real_escape_string takes into consideration the character set which
> addslashes doesn't.
>
> You are safe if you're using ansi-8859 or utf-8, but other character
> encodings which have valid characters ending in 0x5c will not be properly
> escaped by addslashes.
>
> Chris has an example of this here: http://shiflett.org/archive/184
>
> Carlos Hoyos
>
>
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
>   



More information about the talk mailing list