Posted by Chris Shiflett on 05/13/05 02:43

Richard Lynch wrote:
> It's all very well to repeat these pronouncements from on high that
> "mysql_real_escape_string is better" but I personally would sure
> appreciate somebody who's saying this to say *WHY* it is better, and in
> precisely what ways it is different from addslashes and/or magic quotes
> with or without data scrubbing.

From me:
The fact that it uses the character set of your current connection to
MySQL means that what your escaping function considers to be a single
quote is exactly what your database considers to be a single quote. If
these things don't match, your escaping function can miss something that
your database interprets, opening you up to an SQL injection attack.

This type of attack isn't quite as easy as when someone doesn't escape
their data at all, but it's something that can be avoided by using the
proper escaping function.

From Derick Rethans (sitting beside me):
Other things are that addslashes() screws up with big-5 (it can contains
\'s in multi-byte characters), and mysql_real_escape_string() takes into
account charcter sets.

--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/

[Back to original message]