[nycphp-talk] mysql_real_escape_string WAS: Mysql question!
David Krings
ramons at gmx.net
Tue Oct 31 20:32:20 EST 2006
Dan Cech wrote:
> What you're failing to consider here is the character set of the active
> mysql connection. Correct me if I'm wrong, but it is my understanding
> that mysql_real_escape_string does not incur an extra trip to the
> database, the escaping still occurs within php, but it takes into
> account the character set of the active connection.
>
You probably know this better than I do, but in any case, you need to
have a connection established otherwise mysql_real_escape_string throws
an error. That means that something is going back and forth to the db
engine at some point, which isn't a big deal if one needs the connection
anyway. Addslashes doesn't need anything.
> This may not seem that important right now, but when you find yourself
> wanting/needing to switch to utf8 you'll be glad you used mysql_real_escape.
>
That was mentioned in a different post and I did not mean to make it
appear as if this doesn't happen.
> As for how strange characters might get into input, assuming that it
> won't happen is just plain bad practice. Of course the enterprising
> hacker will find a way to inject these characters, and addslashes will fail.
>
I also did not mean to advertise using addslashes (I myself stopped
doing that), but tried to get some sense into the "ultimately
unnecessary" that was brought up by Cliff.
> When dealing with user input, always use the very best tools you have
> available to you, because the one corner you cut will be the chink in
> your application's armor.
>
> Dan
I wholeheartedly agree with this.
David K.
More information about the talk
mailing list