addslashes() vs. mysql_real_escape_string()

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
SimonJ621
Forum Commoner
Posts: 36
Joined: Thu Jul 27, 2006 5:07 am
Location: Ohio

addslashes() vs. mysql_real_escape_string()

Post by SimonJ621 »

Hello all,

I'm building a class called 'safehouse' that includes different functions to filter data and create random strings for passwords and other things like that. My problem is, there are many times when I want to store variables in a 'clean' array after checking to see if they are of the correct input and after escaping them.

The problem is that mysql_real_escape_string() can only be called after a connection to the database is made, and I want to do things before that connection is made. That being said, would using addslashes() obtain the same objective with the same amount of security?

Thank you,

Jason
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Re: addslashes() vs. mysql_real_escape_string()

Post by volka »

SimonJ621 wrote:That being said, would using addslashes() obtain the same objective with the same amount of security?
No.
Please read http://shiflett.org/archive/184
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: addslashes() vs. mysql_real_escape_string()

Post by Chris Corbyn »

SimonJ621 wrote:Hello all,

I'm building a class called 'safehouse' that includes different functions to filter data and create random strings for passwords and other things like that. My problem is, there are many times when I want to store variables in a 'clean' array after checking to see if they are of the correct input and after escaping them.

The problem is that mysql_real_escape_string() can only be called after a connection to the database is made, and I want to do things before that connection is made. That being said, would using addslashes() obtain the same objective with the same amount of security?

Thank you,

Jason
addslashes() only escapes quotes and slashes.... why not use mysql_escape_string() ?
User avatar
SimonJ621
Forum Commoner
Posts: 36
Joined: Thu Jul 27, 2006 5:07 am
Location: Ohio

Re: addslashes() vs. mysql_real_escape_string()

Post by SimonJ621 »

volka wrote: No. Please read http://shiflett.org/archive/184
Thank you, I'm actually reading a book by Chris Shiftlett right now, Essential PHP Security.
d11wtq wrote: addslashes() only escapes quotes and slashes.... why not use mysql_escape_string() ?

And thank you, I'm just learning PHP and wasn't aware of this function, but it's exactly what I am looking for.


Jason
Post Reply