|
Posted by Richard Lynch on 05/12/05 04:57
On Wed, May 11, 2005 5:23 pm, Jason Wong said:
> But now that mysql_real_escape_string() is available that is what you
> ought to use.
But are they REALLY different.
Or, put it this way:
Suppose I have 10,000,000 lines of code that have Magic Quotes on, which
calls addslashes automatically, and I already have scrubbing in place for
the data that can be scrubbed from untrusted users.
Is mysql_real_escape_string *DIFFERENT* in some incredibly huge secure way
that I want to stop working on all my current projects to go re-write the
10,000,000 lines of code?
Or is mysql_real_escape_string just something I should use going forward
in case it might be better someday, but it's really the same for now?
Or, is it a LITTLE better for an obscure hack that won't affect me if my
scrubbing is halfway decent?
Or... ???
It's all very well to repeat these pronouncements from on high that
"mysql_real_escape_string is better" but I personally would sure
appreciate somebody who's saying this to say *WHY* it is better, and in
precisely what ways it is different from addslashes and/or magic quotes
with or without data scrubbing.
It's not quite yet at the point where I'm getting tired of hearing about
"mysql_real_escape_string is better" but the envelope is being pushed. :-)
Maybe I just missed that detailed analysis of the inherent superiority of
mysql_real_escape_string, but it's not for a lack of looking...
--
Like Music?
http://l-i-e.com/artists.htm
[Back to original message]
|