addslashes versus mysql_real_escape_string
Moderator: General Moderators
- JAB Creations
- DevNet Resident
- Posts: 2341
- Joined: Thu Jan 13, 2005 6:44 pm
- Location: Sarasota Florida
- Contact:
addslashes versus mysql_real_escape_string
I am curious about the difference between addslashes and mysql_real_escape_string? Someone (possibly correlating to an NDA) mentioned that I should use stripslashes instead of mysql_real_escape_string.
Last edited by JAB Creations on Sat Oct 25, 2008 2:09 pm, edited 1 time in total.
Re: stripslashes versus mysql_real_escape_string
Hi,
stripslashes and mysql_real_escape_string are totaly different, using stripslahses instead of mysql_real_escape_string won't work. Look into the PHP Manual for the differences.
Or do you mean what the difference is between mysql_real_escape_string and addslashes()? You should use mysql_real_escape_string instead of addslashes(), cause there are some (very special) situations where addslahses won't defend a sql injection (this is why one uses mysql_real_escape_string).
stripslashes and mysql_real_escape_string are totaly different, using stripslahses instead of mysql_real_escape_string won't work. Look into the PHP Manual for the differences.
Or do you mean what the difference is between mysql_real_escape_string and addslashes()? You should use mysql_real_escape_string instead of addslashes(), cause there are some (very special) situations where addslahses won't defend a sql injection (this is why one uses mysql_real_escape_string).
- JAB Creations
- DevNet Resident
- Posts: 2341
- Joined: Thu Jan 13, 2005 6:44 pm
- Location: Sarasota Florida
- Contact:
Re: stripslashes versus mysql_real_escape_string
Err I think I meant addslashes, I've updated the thread title.
Also I'm 99% sure that there is absolutely no binary data being put in to the databases by the person using this instead of mysql_real_escape_string.
Also I'm 99% sure that there is absolutely no binary data being put in to the databases by the person using this instead of mysql_real_escape_string.
Re: addslashes versus mysql_real_escape_string
Hi,
there is some trouble with addslashes and some special (exotic) encodings, so that an escaped quotation mark is ignored and sql injections are possible.
If you use normal encodings, e.g. utf-8, this problem shouldn't exists, but it is better to use mysql_real_escape_string, because this function is special made for protecting you from sql injections, addslashes not.
there is some trouble with addslashes and some special (exotic) encodings, so that an escaped quotation mark is ignored and sql injections are possible.
If you use normal encodings, e.g. utf-8, this problem shouldn't exists, but it is better to use mysql_real_escape_string, because this function is special made for protecting you from sql injections, addslashes not.
Re: addslashes versus mysql_real_escape_string
mysql_real_escape_string escapes more than quotes, if you just use addslashes you can corrupt your binary data. Any security advantages would be arguable but have been proven, it would rely on some character set exploits