On Wed, May 11, 2005 5:23 pm, Jason Wong said: > But now that mysql_real_escape_string() is available that is what you > ought to use. But are they REALLY different. Or, put it this way: Suppose I have 10,000,000 lines of code that have Magic Quotes on, which calls addslashes automatically, and I already have scrubbing in place for the data that can be scrubbed from untrusted users. Is mysql_real_escape_string *DIFFERENT* in some incredibly huge secure way that I want to stop working on all my current projects to go re-write the 10,000,000 lines of code? Or is mysql_real_escape_string just something I should use going forward in case it might be better someday, but it's really the same for now? Or, is it a LITTLE better for an obscure hack that won't affect me if my scrubbing is halfway decent? Or... ??? It's all very well to repeat these pronouncements from on high that "mysql_real_escape_string is better" but I personally would sure appreciate somebody who's saying this to say *WHY* it is better, and in precisely what ways it is different from addslashes and/or magic quotes with or without data scrubbing. It's not quite yet at the point where I'm getting tired of hearing about "mysql_real_escape_string is better" but the envelope is being pushed. :-) Maybe I just missed that detailed analysis of the inherent superiority of mysql_real_escape_string, but it's not for a lack of looking... -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
