-------------- Original message ---------------------- From: "Richard Lynch" <ceo@xxxxxxxxx> > On Thu, May 12, 2005 4:43 pm, Chris Shiflett said: > > From me: > > The fact that it uses the character set of your current connection to > > MySQL means that what your escaping function considers to be a single > > quote is exactly what your database considers to be a single quote. If > > these things don't match, your escaping function can miss something that > > your database interprets, opening you up to an SQL injection attack. > > Under the following pre-conditions: > 1. C Locale / English in MySQL data > 2. No intention to ever switch natural language, nor database. > > is there any real benefit to spending man hours I really can't afford for > legacy code to switch from Magic Quotes to mysql_real_escape_string -- and > make no mistake, it would be a TON of man hours. I believe it also takes into account special characters like _ and %, which addslashes does not. In certain instances if you do not escape special characters, such as the wildcards I mentioned, the results that you get can differ from what you intended. One instance this comes into play is a search form used by a non-technical user. You should probably check that though, it has been a while since I have looked into it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
