Posted by Jason Wong on 05/12/05 03:23

On Thursday 12 May 2005 06:30, -k. wrote:
> I have a related question, many of you have suggested
> using addslashes on your variables to prevent SQL
> injections, but is it safer to use
> mysql_real_escape_string (or mysql_escape_string)?
> What is the benefit / cost of using
> mysql_real_escape_string rather than addslashes? When
> using Postgres i always use pg_escape_string on
> anything i send the DB's way. In fact the manual says
> specifically to use pg_escape_string rather than
> addslashes (however it doesn’t give that advice in
> mysql_real_escape_string )...

Postgresql uses a single-quote to escape a single-quote. MySQL uses a
backslash. Hence running addslashes() on a string destined for MySQL is
usually OK whilst doing so for Postgresql is not.

But now that mysql_real_escape_string() is available that is what you
ought to use.

--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
------------------------------------------
New Year Resolution: Ignore top posted posts

• Next in forum: Re: [PHP] Generating a php file
• Prev in forum: PHP 5.0. Save classes in a session. Need help now
• Thread view: Re: [PHP] MySql injections (related question)

[Reply to this message]