Posted by Jason Wong on 05/12/05 06:58

On Thursday 12 May 2005 09:57, Richard Lynch wrote:
> On Wed, May 11, 2005 5:23 pm, Jason Wong said:
> > But now that mysql_real_escape_string() is available that is what you
> > ought to use.
>
> But are they REALLY different.

mysql_real_escape_string() is most certainly different from
mysql_escape_string(), and of course addslashes(), in that it takes into
account the language/character encoding.

Also manual entries for addslashes() and mysql_real_escape_string() does
tell you what characters are escaped.

> Or, put it this way:

[snip]

> Or is mysql_real_escape_string just something I should use going
> forward in case it might be better someday, but it's really the same
> for now?

I suppose that if you're not using some esoteric character encoding then
the standard addslashes() would suffice. However a "quick fix" is simply
do a search and replace then make sure you have established an mysql
connection early on in your code (before mysql_real_escape_string() is
called).

> It's all very well to repeat these pronouncements from on high that
> "mysql_real_escape_string is better" but I personally would sure
> appreciate somebody who's saying this to say *WHY* it is better, and in
> precisely what ways it is different from addslashes and/or magic quotes
> with or without data scrubbing.

mysql_real_escape_string() calls the underlying MySQL C client library and
because that library is produced by the MySQL people they are in the best
position to know what exactly needs escaping. And in the event that "what
needs escaping" gets updated then you don't need to touch your code
because when the MySQL library is updated you're set. Not so if you use
your own escaping function(s).

> Maybe I just missed that detailed analysis of the inherent superiority
> of mysql_real_escape_string, but it's not for a lack of looking...

Well put it this way, addslashes() was not meant to make data "safe" for
mysql, it just happened to work. Now there is a better/official/whatever
alternative why not use it?

--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
------------------------------------------
New Year Resolution: Ignore top posted posts

• Next in forum: Re: [PHP] Inner Join or 2nd Query...?
• Prev in forum: Re: [PHP] MySql injections (related question)
• Thread view: Re: [PHP] MySql injections (related question)

[Reply to this message]