Knowing that regex would most likely be the best solution in the sense of preventing SQL injection attacks and other forms of attacks, would mysql_real_escape_string() do the same thing?
I've noticed when researching the topics of SQL injection and security over user input that the two seem to be commonly used to filter the input before it is inserted.
Regex vs. mysql_real_escape_string
Moderator: General Moderators
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
regex is useful for filtering input: checking it is of the expected type/format/value.
mysql_real_escape_string (and the related escape functions for other DB libs) ESCAPE data. For example, you may filter usernames, and allow quotes, in for example, O'Connor. However MySQL needs to escape apostrophes, and so mysql_real_escape_string would an extra step prior to using the value in an SQL query.
Typically escaping would not alter the originally filtered data - unless you want to output O''Connor or O\'Connor to users...
Filtering and Escaping are two different things.
mysql_real_escape_string (and the related escape functions for other DB libs) ESCAPE data. For example, you may filter usernames, and allow quotes, in for example, O'Connor. However MySQL needs to escape apostrophes, and so mysql_real_escape_string would an extra step prior to using the value in an SQL query.
Typically escaping would not alter the originally filtered data - unless you want to output O''Connor or O\'Connor to users...
Filtering and Escaping are two different things.
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
There is also a lot of useful information in the Security Resources thread.