I was looking at escape string at mysql doc's, and read there that Esc String can significantely help in DB security.
My question is:
Do I need to add mysql_escape_string to the code if I have apache 1.31.x and PHP 4.34 or PHP 5.0
I tested the forms on my computer, and for every ' or " it replaced to \.
Does this mean that I don't need to worry about escape characters and strings, or do I need to include mysql_escape_string in the code?
Is it true that with this function you can prevent DOS, DDOS attacks ?
Thanks Ahead !
Escape string
Moderator: General Moderators
See http://php.net/manual/en/ref.info.php#i ... quotes-gpc
That setting in your php.ini is why quotes are being automatically escaped. It's general considered good practice nowadays to turn magic_quotes Off and handles the escaping your self. Using mysql_escape_string() can help prevent slq injections but it's unrelated to DOS attacks.
And yes, you do need to make sure that you properly escape your data which is why you should handle it yourself, then at least you know what's going on
That setting in your php.ini is why quotes are being automatically escaped. It's general considered good practice nowadays to turn magic_quotes Off and handles the escaping your self. Using mysql_escape_string() can help prevent slq injections but it's unrelated to DOS attacks.
And yes, you do need to make sure that you properly escape your data which is why you should handle it yourself, then at least you know what's going on