Richard Lynch wrote: > On Thu, August 10, 2006 1:54 pm, Jochem Maas wrote: >> Warren Vail wrote: >>> Many of the older PHP implementations don't have the >>> mysql_escape_string >>> function, if not addslashes should work.... >> this is true. >> >>> I would be interested to know >>> what might get past the addslashes function that the >>> mysql_escape_string >>> function catches. >> not sure about that but one assumes MySQL is better equipped to know >> how to properly/safely escape data - besides >> mysql_real_escape_string() >> is character set aware. on top of this you don't know what the future >> will bring >> mysql(_real)_escape_string() is better in terms of future proofing. >> >> if anyone answer Warren's question I would be interested to read about >> it too :-) > > As I understand it, the only known issues are, in fact, with > non-Latin1 character sets not being escaped properly, and leaving a > big fat security door unlocked because of it. > > There is a theoretical possibility that something in Latin1 + > addslashes is still hinky, but it seems unlikely at this point in > time, after most of a decade of hacking... > > This is NOT an endorsement of "sticking with" addslashes because you > are "sure" you'll never need anything more than Latin1 !!! > > You *should* switch, even if only for the theoretical risk-reduction. > > And because you only THINK you won't need more than Latin1, and you're > wrong. :-) beautifully put as as always :-) > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
