[nycphp-talk] addslashes vs mysql_escape_string()
Hans Zaunere
lists at zaunere.com
Sat Sep 22 19:50:30 EDT 2007
Hi Paul,
Paul Reinheimer wrote on Saturday, September 22, 2007 7:17 PM:
> Hey List,
>
> I was reading http://nyphp.org/phundamentals/storingretrieving.php,
> and i was a bit unsure about some of the characters listed
> as being escaped, and did some research. I think that we're listing a
> few characters as being escaped on that page that
> actually aren't escaped by the funciton. I've posted what I found
> here
>
http://blog.preinheimer.com/index.php?/archives/247-addslashes-vs-mysql_esca
pe_string.html
>
>
> If I'm wrong, please let me know, but I couldn't find any reference
> to some of those characters in the C source, or in my
> own tests.
In the section of the article I think you're addressing, we talked about
what characters MySQL considers special in strings; that is, having special
meaning. This includes the backspace and tab, per their documentation:
http://dev.mysql.com/doc/refman/5.0/en/string-syntax.html
They may or may not be escaped, but they do have special meaning to the
database which is why a database aware escape function should always be
used, vs a generic function like addslashes.
End of the day, it's not about what characters are actually escaped - it's
that the function you're using to escape is aware of the string's
destination. Maybe this is where the confusion is.
---
Hans Zaunere / President / New York PHP
www.nyphp.org / www.nyphp.com
More information about the talk
mailing list