On Thu, August 10, 2006 1:54 pm, Jochem Maas wrote: > Warren Vail wrote: >> Many of the older PHP implementations don't have the >> mysql_escape_string >> function, if not addslashes should work.... > > this is true. > >> I would be interested to know >> what might get past the addslashes function that the >> mysql_escape_string >> function catches. > > not sure about that but one assumes MySQL is better equipped to know > how to properly/safely escape data - besides > mysql_real_escape_string() > is character set aware. on top of this you don't know what the future > will bring > mysql(_real)_escape_string() is better in terms of future proofing. > > if anyone answer Warren's question I would be interested to read about > it too :-) As I understand it, the only known issues are, in fact, with non-Latin1 character sets not being escaped properly, and leaving a big fat security door unlocked because of it. There is a theoretical possibility that something in Latin1 + addslashes is still hinky, but it seems unlikely at this point in time, after most of a decade of hacking... This is NOT an endorsement of "sticking with" addslashes because you are "sure" you'll never need anything more than Latin1 !!! You *should* switch, even if only for the theoretical risk-reduction. And because you only THINK you won't need more than Latin1, and you're wrong. :-) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
