Reply to Re: [PHP] MySql injections (related question)

Your name:

Reply:


Posted by Jason Wong on 05/12/05 03:23

On Thursday 12 May 2005 06:30, -k. wrote:
> I have a related question, many of you have suggested
> using addslashes on your variables to prevent SQL
> injections, but is it safer to use
> mysql_real_escape_string (or mysql_escape_string)?
> What is the benefit / cost of using
> mysql_real_escape_string rather than addslashes? When
> using Postgres i always use pg_escape_string on
> anything i send the DB's way. In fact the manual says
> specifically to use pg_escape_string rather than
> addslashes (however it doesn’t give that advice in
> mysql_real_escape_string )...

Postgresql uses a single-quote to escape a single-quote. MySQL uses a
backslash. Hence running addslashes() on a string destined for MySQL is
usually OK whilst doing so for Postgresql is not.

But now that mysql_real_escape_string() is available that is what you
ought to use.

--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
------------------------------------------
New Year Resolution: Ignore top posted posts

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация