On Thursday 12 May 2005 09:57, Richard Lynch wrote: > On Wed, May 11, 2005 5:23 pm, Jason Wong said: > > But now that mysql_real_escape_string() is available that is what you > > ought to use. > > But are they REALLY different. mysql_real_escape_string() is most certainly different from mysql_escape_string(), and of course addslashes(), in that it takes into account the language/character encoding. Also manual entries for addslashes() and mysql_real_escape_string() does tell you what characters are escaped. > Or, put it this way: [snip] > Or is mysql_real_escape_string just something I should use going > forward in case it might be better someday, but it's really the same > for now? I suppose that if you're not using some esoteric character encoding then the standard addslashes() would suffice. However a "quick fix" is simply do a search and replace then make sure you have established an mysql connection early on in your code (before mysql_real_escape_string() is called). > It's all very well to repeat these pronouncements from on high that > "mysql_real_escape_string is better" but I personally would sure > appreciate somebody who's saying this to say *WHY* it is better, and in > precisely what ways it is different from addslashes and/or magic quotes > with or without data scrubbing. mysql_real_escape_string() calls the underlying MySQL C client library and because that library is produced by the MySQL people they are in the best position to know what exactly needs escaping. And in the event that "what needs escaping" gets updated then you don't need to touch your code because when the MySQL library is updated you're set. Not so if you use your own escaping function(s). > Maybe I just missed that detailed analysis of the inherent superiority > of mysql_real_escape_string, but it's not for a lack of looking... Well put it this way, addslashes() was not meant to make data "safe" for mysql, it just happened to work. Now there is a better/official/whatever alternative why not use it? -- Jason Wong -> Gremlins Associates -> www.gremlins.biz Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * ------------------------------------------ Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general ------------------------------------------ New Year Resolution: Ignore top posted posts -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
