On Thu, 2006-11-30 at 10:37 -0600, Johannes Lindenbaum wrote: > Chris schrieb: > > That part is correct. > > > > You shouldn't need to use addslashes - use mysql_real_escape_string or > > mysql_escape_string depending on your (current) php version - they are > > both "locale aware" and will escape things for you depending on mysql > > server (re: language setup). > > > > Then just use htmlentities to display on the frontend rather than > > using stripslashes. > > > > Of course other db's have similar functions, check the manual. > > > > --> Sorry I sent you this email to your personal account, Chris. > > Morning, > > Just a question out of pure curiosity. Why would one prefer using > mysql_real_escape_string (I'm using 5.1.6 so mysql_escape_string is > deprecated). and htmlentities instead of addslashes and stripslashes? > > I'm going to guess the main reason is to stop SQL injections? But > wouldn't add- and stripslashes do the same? addslashes() and stripslashes() are generic and don't properly take into consideration character set for the given database table. It states this explciitly int he help for mysql_real_escape_string(): "Escapes special characters in the unescaped_string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query(). If binary data is to be inserted, this function must be used." Cheers, Rob. -- .------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php