NYCPHP Meetup

[nycphp-talk] mysql_real_escape_string WAS: Mysql question!

Cliff Hirsch cliff at pinestream.com
Tue Oct 31 17:44:45 EST 2006


I just read the same thing in Cal's book and was going to ask the group
about this. While prepared statements sound nice in theory, there are
many of us that still hack together "old-fashioned" queries. And what
does "ultimately unnecessary" mean anyway? Consumes more mips than its
worth?

-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
On Behalf Of Rob Marscher
Sent: Tuesday, October 31, 2006 3:27 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] mysql_real_escape_string WAS: Mysql question!

A side note here about mysql_real_escape_string - curious if anyone is 
an expert on this...  In that last year, I switched over from using 
addslashes to using mysql_real_escape_string to escape strings in sql 
statements because it's the 'right thing to do.'

I'm currently reading "Building Scalable Web Sites" by Cal Henderson 
(which I think is great so far for anyone making large [or potentially 
large] web apps).  In the section about avoiding sql injection attacks, 
he says "the more complicated mysql_real_escape_string escapes a bunch 
more characters but is ultimately unnecessary (although useful for 
making logs easier to read)."  I thought that was interesting - 
"ultimately unnecessary."

Although I guess this argument will be moot as soon as people move to 
php 5/mysql 5, as prepared statements seem to be the way to go there.

-Rob




More information about the talk mailing list