Posted by Jennifer Goodie on 05/13/05 05:03

-------------- Original message ----------------------
From: "Richard Lynch" <ceo@l-i-e.com>
> On Thu, May 12, 2005 4:43 pm, Chris Shiflett said:
> > From me:
> > The fact that it uses the character set of your current connection to
> > MySQL means that what your escaping function considers to be a single
> > quote is exactly what your database considers to be a single quote. If
> > these things don't match, your escaping function can miss something that
> > your database interprets, opening you up to an SQL injection attack.
>
> Under the following pre-conditions:
> 1. C Locale / English in MySQL data
> 2. No intention to ever switch natural language, nor database.
>
> is there any real benefit to spending man hours I really can't afford for
> legacy code to switch from Magic Quotes to mysql_real_escape_string -- and
> make no mistake, it would be a TON of man hours.

I believe it also takes into account special characters like _ and %, which addslashes does not. In certain instances if you do not escape special characters, such as the wildcards I mentioned, the results that you get can differ from what you intended. One instance this comes into play is a search form used by a non-technical user. You should probably check that though, it has been a while since I have looked into it.

[Back to original message]