NYCPHP Meetup

NYPHP.org

[nycphp-talk] mysql_real_escape_string WAS: Mysql question!

David Krings ramons at gmx.net
Tue Oct 31 20:32:20 EST 2006


Dan Cech wrote:
> What you're failing to consider here is the character set of the active
> mysql connection.  Correct me if I'm wrong, but it is my understanding
> that mysql_real_escape_string does not incur an extra trip to the
> database, the escaping still occurs within php, but it takes into
> account the character set of the active connection.
>   
You probably know this better than I do, but in any case, you need to 
have a connection established otherwise mysql_real_escape_string throws 
an error. That means that something is going back and forth to the db 
engine at some point, which isn't a big deal if one needs the connection 
anyway. Addslashes doesn't need anything.

> This may not seem that important right now, but when you find yourself
> wanting/needing to switch to utf8 you'll be glad you used mysql_real_escape.
>   
That was mentioned in a different post and I did not mean to make it 
appear as if this doesn't happen.

> As for how strange characters might get into input, assuming that it
> won't happen is just plain bad practice.  Of course the enterprising
> hacker will find a way to inject these characters, and addslashes will fail.
>   
I also did not mean to advertise using addslashes (I myself stopped 
doing that), but tried to get some sense into the "ultimately 
unnecessary" that was brought up by Cliff.

> When dealing with user input, always use the very best tools you have
> available to you, because the one corner you cut will be the chink in
> your application's armor.
>
> Dan
I wholeheartedly agree with this.

David K.



More information about the talk mailing list