Posted by Jason Wong on 05/12/05 03:23
On Thursday 12 May 2005 06:30, -k. wrote:
> I have a related question, many of you have suggested
> using addslashes on your variables to prevent SQL
> injections, but is it safer to use
> mysql_real_escape_string (or mysql_escape_string)?
> What is the benefit / cost of using
> mysql_real_escape_string rather than addslashes? When
> using Postgres i always use pg_escape_string on
> anything i send the DB's way. In fact the manual says
> specifically to use pg_escape_string rather than
> addslashes (however it doesnt give that advice in
> mysql_real_escape_string )...
Postgresql uses a single-quote to escape a single-quote. MySQL uses a
backslash. Hence running addslashes() on a string destined for MySQL is
usually OK whilst doing so for Postgresql is not.
But now that mysql_real_escape_string() is available that is what you
ought to use.
--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
------------------------------------------
New Year Resolution: Ignore top posted posts
[Back to original message]
|