What's the difference?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
influx
Forum Commoner
Posts: 31
Joined: Fri Aug 05, 2005 9:28 am

What's the difference?

Post by influx »

What exactly is the difference between addslashes() and mysql_real_escape_string()?

-influx
Grim...
DevNet Resident
Posts: 1445
Joined: Tue May 18, 2004 5:32 am
Location: London, UK

Post by Grim... »

One is easier to type ;)
Grim...
DevNet Resident
Posts: 1445
Joined: Tue May 18, 2004 5:32 am
Location: London, UK

Post by Grim... »

I RTFM and found this:

"mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a."

"addslashes() returns a string with backslashes before characters that need to be quoted in database queries etc. These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte)."
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

string addslashes ( string str )
Returns a string with backslashes before characters that need to be quoted in database queries etc. These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte).
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
influx
Forum Commoner
Posts: 31
Joined: Fri Aug 05, 2005 9:28 am

Post by influx »

So addslashes() is obviously less effective and has more potential to cause problems. In that case, when I upgrade my server to PHP 4.3.0 (when they introduced mysql_real_escape_string) should I change all instances of addslashes() to mysql_real_escape_string()?

NOTE: I have magic_quotes_gpc turned OFF
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Yes you should. That way, you don't add \' in your database anymore..
Post Reply