NYCPHP Meetup

[nycphp-talk] mysql_real_escape_string WAS: Mysql question!

David Krings ramons at gmx.net
Tue Oct 31 19:21:47 EST 2006


Hi,

    my guess is that some of the characters escaped using the mysql 
escaping cannot be reasonably expected to come in from user input. 
Mysql_real_escape_string escapes all these:
\x00, \n, \r, \, ', " and \x1a
    but I can't think of any way on how to get \x1a as user input 
(assuming that this is the hex value for an ASCII character). Even NULL 
is difficult, but not impossible. I guess that the "ultmately 
unecessary" looks at it from a viewpoint of what is possible assuming 
the user is the idiot and not the developer. It consumes a trip to the 
database engine and back, whereas addslashes doesn't. I don't know, my 
arguments are a bit thin and it may really just like that: "ultimately 
unecessary" as long as the string was addslashed.

    David K.

Cliff Hirsch wrote:
> I just read the same thing in Cal's book and was going to ask the group
> about this. While prepared statements sound nice in theory, there are
> many of us that still hack together "old-fashioned" queries. And what
> does "ultimately unnecessary" mean anyway? Consumes more mips than its
> worth?
>   



More information about the talk mailing list