[nycphp-talk] mysql_real_escape_string WAS: Mysql question!
Cliff Hirsch
cliff at pinestream.com
Tue Oct 31 17:44:45 EST 2006
I just read the same thing in Cal's book and was going to ask the group
about this. While prepared statements sound nice in theory, there are
many of us that still hack together "old-fashioned" queries. And what
does "ultimately unnecessary" mean anyway? Consumes more mips than its
worth?
-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
On Behalf Of Rob Marscher
Sent: Tuesday, October 31, 2006 3:27 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] mysql_real_escape_string WAS: Mysql question!
A side note here about mysql_real_escape_string - curious if anyone is
an expert on this... In that last year, I switched over from using
addslashes to using mysql_real_escape_string to escape strings in sql
statements because it's the 'right thing to do.'
I'm currently reading "Building Scalable Web Sites" by Cal Henderson
(which I think is great so far for anyone making large [or potentially
large] web apps). In the section about avoiding sql injection attacks,
he says "the more complicated mysql_real_escape_string escapes a bunch
more characters but is ultimately unnecessary (although useful for
making logs easier to read)." I thought that was interesting -
"ultimately unnecessary."
Although I guess this argument will be moot as soon as people move to
php 5/mysql 5, as prepared statements seem to be the way to go there.
-Rob
More information about the talk
mailing list