NYCPHP Meetup

[Dan Cech]

David Krings wrote:
> Dan Cech wrote:
>> What you're failing to consider here is the character set of the active
>> mysql connection.  Correct me if I'm wrong, but it is my understanding
>> that mysql_real_escape_string does not incur an extra trip to the
>> database, the escaping still occurs within php, but it takes into
>> account the character set of the active connection.
>>   
> You probably know this better than I do, but in any case, you need to 
> have a connection established otherwise mysql_real_escape_string throws 
> an error. That means that something is going back and forth to the db 
> engine at some point, which isn't a big deal if one needs the connection 
> anyway. Addslashes doesn't need anything.

Actually no, all it means is that without an active connection,
mysql_real_escape_string doesn't know what character encoding is being used.

I looked through the source and found that the php extension just passes
the string and the specified connection through to the mysql client
library's c function of the same name, which then looks up the character
set of the connection and performs the escaping.

That said, I did come across this line in the mysql documentation:

Strictly speaking, MySQL requires only that backslash and the quote
character used to quote the string in the query be escaped. This
function quotes the other characters to make them easier to read in log
files.

However, when reading through the mysql client source I do see it
performing special processing for both correctly formed and malformed
multibyte characters, as well as correctly handling the situation where
the NO_BACKSLASH_ESCAPES SQL mode is enabled on the server.  This alone
is important, as addslashes will fail horribly in this situation.

Dan