Hi, I just finished reading Chris Shiflett's article in this months php|a about SQL injection and have a question I can't seem to find answered anywhere:
Does mysql_real_escape_string (or mysql_escape_string) do anything extra that addslashes() doesn't? In the examples in the manual it is just used to escape the ' character, but that is exactly what addslashes() will do anyway. Is mysql_real_escape_string tolerant of magic quotes? i.e. will you end up with double-quoted strings like: "it\\'s a lovely day" if you call it too many times? -- Best regards, Richard Davey http://www.phpcommunity.org/wiki/296.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php