Posted by James Williams on 05/13/05 02:09

I couldn't tell you the technicals of it, but just from the php documentation:

" This function must always (with few exceptions) be used to make data
safe before sending a query to MySQL."

On 5/12/05, Richard Lynch <ceo@l-i-e.com> wrote:
> On Thu, May 12, 2005 12:39 pm, James Williams said:
> > I'm pretty sure that, in order to use mysql_real_escape_string() you
> > must have magic quotes off or use stripslashes first... the same as
> > addslashes, so it should work if you just search and replace. Don't
> > quote me on that though
>
> Well, yes, but you see it's no longer as simple as a global search and
> replace, since there is no addslashes all over the place.
>
> I have to hand-examine every file in, what, almost a decade's worth of
> code spread over several dozen websites?
>
> What is the CURRENT security advantage, if any, to
> mysql_real_escape_string versus Magic Quotes?
>
> --
> Like Music?
> http://l-i-e.com/artists.htm
>
>


--
jamwil.com

• Next in forum: Re: [PHP] debugger for CLI PHP scripts...?
• Prev in forum: Re: [PHP] cURL functions
• Thread view: Re: [PHP] MySql injections (related question)

[Reply to this message]