[nycphp-talk] mysql_real_escape_string WAS: Mysql question!
Carlos A Hoyos
cahoyos at us.ibm.com
Tue Oct 31 16:29:50 EST 2006
> I'm currently reading "Building Scalable Web Sites" by Cal Henderson
> (which I think is great so far for anyone making large [or potentially
> large] web apps). In the section about avoiding sql injection attacks,
> he says "the more complicated mysql_real_escape_string escapes a bunch
> more characters but is ultimately unnecessary (although useful for
> making logs easier to read)." I thought that was interesting -
> "ultimately unnecessary."
mysql_real_escape_string takes into consideration the character set which
addslashes doesn't.
You are safe if you're using ansi-8859 or utf-8, but other character
encodings which have valid characters ending in 0x5c will not be properly
escaped by addslashes.
Chris has an example of this here: http://shiflett.org/archive/184
Carlos Hoyos
More information about the talk
mailing list