[nycphp-talk] mysql_real_escape_string WAS: Mysql question!
David Krings
ramons at gmx.net
Tue Oct 31 19:11:49 EST 2006
Hi,
from my experience, addslashes does the trick for the most part, but
mysql_real_escape_string is indeed the better one to use as it does
cover all possible (not only the likely) characters that could get MySQL
and its user in hot water.
From a practical viewpoint I'd just say both work fine and are
better than nothing with the difference that mysql_real_escape_string
requires a database connection before it can be called whereas
addslashes doesn't. So when you just want to massage some input through
a bunch of scripts that do not do anything with the database, then
addslashes may be the more convenient thing to use. So far I haven't
come across a situation where it would have mattered, but since I'm a
just for fun PHP hobbyist and not a pro, it is well possible that there
are situation where it does make a difference.
David K.
Rob Marscher wrote:
> A side note here about mysql_real_escape_string - curious if anyone is
> an expert on this... In that last year, I switched over from using
> addslashes to using mysql_real_escape_string to escape strings in sql
> statements because it's the 'right thing to do.'
>
> I'm currently reading "Building Scalable Web Sites" by Cal Henderson
> (which I think is great so far for anyone making large [or potentially
> large] web apps). In the section about avoiding sql injection attacks,
> he says "the more complicated mysql_real_escape_string escapes a bunch
> more characters but is ultimately unnecessary (although useful for
> making logs easier to read)." I thought that was interesting -
> "ultimately unnecessary."
>
> Although I guess this argument will be moot as soon as people move to
> php 5/mysql 5, as prepared statements seem to be the way to go there.
>
> -Rob
More information about the talk
mailing list