Re: MySql injections (related question)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Richard Lynch wrote:
It's all very well to repeat these pronouncements from on high that
"mysql_real_escape_string is better" but I personally would sure
appreciate somebody who's saying this to say *WHY* it is better, and in
precisely what ways it is different from addslashes and/or magic quotes
with or without data scrubbing.

From me:
The fact that it uses the character set of your current connection to MySQL means that what your escaping function considers to be a single quote is exactly what your database considers to be a single quote. If these things don't match, your escaping function can miss something that your database interprets, opening you up to an SQL injection attack.


This type of attack isn't quite as easy as when someone doesn't escape their data at all, but it's something that can be avoided by using the proper escaping function.

From Derick Rethans (sitting beside me):
Other things are that addslashes() screws up with big-5 (it can contains \'s in multi-byte characters), and mysql_real_escape_string() takes into account charcter sets.


--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux