Page 1 of 1
Regex vs. mysql_real_escape_string
Posted: Thu Jun 22, 2006 9:17 am
by Jixxor
Knowing that regex would most likely be the best solution in the sense of preventing SQL injection attacks and other forms of attacks, would mysql_real_escape_string() do the same thing?
I've noticed when researching the topics of SQL injection and security over user input that the two seem to be commonly used to filter the input before it is inserted.
Posted: Thu Jun 22, 2006 9:24 am
by Ree
I think it's always best to use the functionality provided by the specific db that is used. You have mysql_real_escape_string() readily available, why not use it?
Posted: Thu Jun 22, 2006 9:27 am
by Maugrim_The_Reaper
regex is useful for filtering input: checking it is of the expected type/format/value.
mysql_real_escape_string (and the related escape functions for other DB libs) ESCAPE data. For example, you may filter usernames, and allow quotes, in for example, O'Connor. However MySQL needs to escape apostrophes, and so mysql_real_escape_string would an extra step prior to using the value in an SQL query.
Typically escaping would not alter the originally filtered data - unless you want to output O''Connor or O\'Connor to users...
Filtering and Escaping are two different things.
Posted: Thu Jun 22, 2006 9:31 am
by Jixxor
Great, thanks for the clarification.
Posted: Fri Jun 23, 2006 2:34 am
by Maugrim_The_Reaper
No problem, if you need any other information just shout

.
Posted: Wed Jul 05, 2006 12:26 pm
by jason
Posted: Wed Jul 05, 2006 1:05 pm
by RobertGonzalez
There is also a lot of useful information in
the Security Resources thread.