Posted by Justin Koivisto on 11/03/05 16:54

Marcus wrote:
> Hello,
>
> My php.ini file currently has magic quotes set to On, but I have read
> that it is better to code with it off.
>
> Currently with magic quotes on, I only use stripslashes() to properly
> format strings that are displayed on the screen. I know that now with
> magic quotes off, I will have to manually handle escaping special
> characters with mysql_real_escape_string() or addslashes().
>
> My question is this... from what I can gather on php.net and some other
> sources, mysql_real_escape_string() is better than addslashes(), so am I
> correct in saying that I don't ever need to use addslashes()?
>
> I know I need to use one of these functions when formatting queries to
> MySQL to prevent SQL injection attacks, but how about when I am just
> dealing with variables in $_POST, $_GET, and $_SESSION? With magic
> quotes on, when I perform a SELECT and a row has a single quote in the
> result, for example, magic quotes will automatically add a \ to the
> value. Is there any security risk or other drawback in not escaping out
> special characters that I am just working with in the code, and then
> formatting everything right before sending to the database?
>
> Thanks a lot in advance.

If you are only concerned with MySQL queries, then *only* use
mysql_real_escape_string.

It escapes special characters in the string using the current character
set of the connection. If you want to use binary data in your query, you
will definately need this function as well. PHP's
mysql_real_escape_string uses MySQL's library function
mysql_real_escape_string.

The same holds true for all database systems when working with PHP. If
there is a "native" escaping function, you should use that and only use
addslashes as a last resort.

addslashes only adds a backslash for the following characters:
* single quote (')
* double quote (")
* backslash (\)
* NUL (the NULL byte).

mysql_real_escape_string escapes the folowing characters:
* \x00
* \n
* \r
* \
* '
* "
* \x1a

HTH.

--
Justin Koivisto, ZCE - justin@koivi.com
http://koivi.com

• Next in forum: Re: PHP Security
• Prev in forum: Re: PHP Security
• Thread view: Re: mysql_real_escape_string() vs addslashes()

[Reply to this message]