Escape string

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Calimero
Forum Contributor
Posts: 310
Joined: Thu Jan 22, 2004 6:54 pm
Location: Milky Way

Escape string

Post by Calimero »

I was looking at escape string at mysql doc's, and read there that Esc String can significantely help in DB security.

My question is:
Do I need to add mysql_escape_string to the code if I have apache 1.31.x and PHP 4.34 or PHP 5.0

I tested the forms on my computer, and for every ' or " it replaced to \.

Does this mean that I don't need to worry about escape characters and strings, or do I need to include mysql_escape_string in the code?

Is it true that with this function you can prevent DOS, DDOS attacks ?

Thanks Ahead !
User avatar
markl999
DevNet Resident
Posts: 1972
Joined: Thu Oct 16, 2003 5:49 pm
Location: Manchester (UK)

Post by markl999 »

See http://php.net/manual/en/ref.info.php#i ... quotes-gpc
That setting in your php.ini is why quotes are being automatically escaped. It's general considered good practice nowadays to turn magic_quotes Off and handles the escaping your self. Using mysql_escape_string() can help prevent slq injections but it's unrelated to DOS attacks.
And yes, you do need to make sure that you properly escape your data which is why you should handle it yourself, then at least you know what's going on ;)
Post Reply