addslashes versus mysql_real_escape_string

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
JAB Creations
DevNet Resident
Posts: 2341
Joined: Thu Jan 13, 2005 6:44 pm
Location: Sarasota Florida
Contact:

addslashes versus mysql_real_escape_string

Post by JAB Creations »

I am curious about the difference between addslashes and mysql_real_escape_string? Someone (possibly correlating to an NDA) mentioned that I should use stripslashes instead of mysql_real_escape_string.
Last edited by JAB Creations on Sat Oct 25, 2008 2:09 pm, edited 1 time in total.
Hannes2k
Forum Contributor
Posts: 102
Joined: Fri Oct 24, 2008 12:22 pm

Re: stripslashes versus mysql_real_escape_string

Post by Hannes2k »

Hi,
stripslashes and mysql_real_escape_string are totaly different, using stripslahses instead of mysql_real_escape_string won't work. Look into the PHP Manual for the differences.

Or do you mean what the difference is between mysql_real_escape_string and addslashes()? You should use mysql_real_escape_string instead of addslashes(), cause there are some (very special) situations where addslahses won't defend a sql injection (this is why one uses mysql_real_escape_string).
User avatar
JAB Creations
DevNet Resident
Posts: 2341
Joined: Thu Jan 13, 2005 6:44 pm
Location: Sarasota Florida
Contact:

Re: stripslashes versus mysql_real_escape_string

Post by JAB Creations »

Err I think I meant addslashes, I've updated the thread title.

Also I'm 99% sure that there is absolutely no binary data being put in to the databases by the person using this instead of mysql_real_escape_string.
Hannes2k
Forum Contributor
Posts: 102
Joined: Fri Oct 24, 2008 12:22 pm

Re: addslashes versus mysql_real_escape_string

Post by Hannes2k »

Hi,
there is some trouble with addslashes and some special (exotic) encodings, so that an escaped quotation mark is ignored and sql injections are possible.

If you use normal encodings, e.g. utf-8, this problem shouldn't exists, but it is better to use mysql_real_escape_string, because this function is special made for protecting you from sql injections, addslashes not.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: addslashes versus mysql_real_escape_string

Post by josh »

mysql_real_escape_string escapes more than quotes, if you just use addslashes you can corrupt your binary data. Any security advantages would be arguable but have been proven, it would rely on some character set exploits
Post Reply