Page 1 of 1

What's the difference?

Posted: Thu Aug 11, 2005 11:19 am
by influx
What exactly is the difference between addslashes() and mysql_real_escape_string()?

-influx

Posted: Thu Aug 11, 2005 11:24 am
by Grim...
One is easier to type ;)

Posted: Thu Aug 11, 2005 11:30 am
by Grim...
I RTFM and found this:

"mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a."

"addslashes() returns a string with backslashes before characters that need to be quoted in database queries etc. These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte)."

Posted: Thu Aug 11, 2005 11:33 am
by s.dot
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

string addslashes ( string str )
Returns a string with backslashes before characters that need to be quoted in database queries etc. These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte).

Posted: Thu Aug 11, 2005 11:33 am
by influx
So addslashes() is obviously less effective and has more potential to cause problems. In that case, when I upgrade my server to PHP 4.3.0 (when they introduced mysql_real_escape_string) should I change all instances of addslashes() to mysql_real_escape_string()?

NOTE: I have magic_quotes_gpc turned OFF

Posted: Thu Aug 11, 2005 1:06 pm
by timvw
Yes you should. That way, you don't add \' in your database anymore..