|
|
Posted by Andy Hassall on 11/07/02 11:31
On 7 Nov 2005 06:53:32 -0800, "frizzle" <phpfrizzle@gmail.com> wrote:
>I have 2 small questions, which i really want to be sure about:
>
>- does mysql_real_escape_string() prevent any kind of mysq-injection?
If you always remember to use it correctly, then it stops the class of SQL
injection attacks where values are interpreted as SQL.
>- can it put escaped quotes etc in the DB, or are those automatically
> 'converted' again?
Well, that's one of its more common uses, to escape quotes in quoted strings
properly. Nothing's automatically converted, unless you have the dreaded
magic_quotes option turned on. So not sure what you're asking there.
I still maintain you're better off using a library such as ADOdb which
emulates placeholders for MySQL - not only do you not have to worry about
escaping any more, it also gets you into better habits for other databases
where using placeholders/bind variables is critical for efficiency.
http://adodb.sourceforge.net/
http://phplens.com/adodb/reference.functions.prepare.html
--
Andy Hassall :: andy@andyh.co.uk :: http://www.andyh.co.uk
http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool
Navigation:
[Reply to this message]
|