On Thursday 12 May 2005 06:30, -k. wrote: > I have a related question, many of you have suggested > using addslashes on your variables to prevent SQL > injections, but is it safer to use > mysql_real_escape_string (or mysql_escape_string)? > What is the benefit / cost of using > mysql_real_escape_string rather than addslashes? When > using Postgres i always use pg_escape_string on > anything i send the DB's way. In fact the manual says > specifically to use pg_escape_string rather than > addslashes (however it doesn?t give that advice in > mysql_real_escape_string )... Postgresql uses a single-quote to escape a single-quote. MySQL uses a backslash. Hence running addslashes() on a string destined for MySQL is usually OK whilst doing so for Postgresql is not. But now that mysql_real_escape_string() is available that is what you ought to use. -- Jason Wong -> Gremlins Associates -> www.gremlins.biz Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * ------------------------------------------ Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general ------------------------------------------ New Year Resolution: Ignore top posted posts -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
