On Thu, May 12, 2005 4:43 pm, Chris Shiflett said: > From me: > The fact that it uses the character set of your current connection to > MySQL means that what your escaping function considers to be a single > quote is exactly what your database considers to be a single quote. If > these things don't match, your escaping function can miss something that > your database interprets, opening you up to an SQL injection attack. Under the following pre-conditions: 1. C Locale / English in MySQL data 2. No intention to ever switch natural language, nor database. is there any real benefit to spending man hours I really can't afford for legacy code to switch from Magic Quotes to mysql_real_escape_string -- and make no mistake, it would be a TON of man hours. If I *HAVE* to do it; fine. If it's not going to really make a difference in my Security, I'm only going to use mysql_real_escape_string going forward. Or, put it another way: If somebody puts in some big-5 data, or whatever, and I have Magic Quotes, is it "safe" or is that somehow going to allow some sql-injection security hole? -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
