[nycphp-talk] mysql_real_escape_string WAS: Mysql question!
ramons at gmx.net
Tue Oct 31 19:21:47 EST 2006
my guess is that some of the characters escaped using the mysql
escaping cannot be reasonably expected to come in from user input.
Mysql_real_escape_string escapes all these:
\x00, \n, \r, \, ', " and \x1a
but I can't think of any way on how to get \x1a as user input
(assuming that this is the hex value for an ASCII character). Even NULL
is difficult, but not impossible. I guess that the "ultmately
unecessary" looks at it from a viewpoint of what is possible assuming
the user is the idiot and not the developer. It consumes a trip to the
database engine and back, whereas addslashes doesn't. I don't know, my
arguments are a bit thin and it may really just like that: "ultimately
unecessary" as long as the string was addslashed.
Cliff Hirsch wrote:
> I just read the same thing in Cal's book and was going to ask the group
> about this. While prepared statements sound nice in theory, there are
> many of us that still hack together "old-fashioned" queries. And what
> does "ultimately unnecessary" mean anyway? Consumes more mips than its
More information about the talk