It's all very well to repeat these pronouncements from on high that "mysql_real_escape_string is better" but I personally would sure appreciate somebody who's saying this to say *WHY* it is better, and in precisely what ways it is different from addslashes and/or magic quotes with or without data scrubbing.
From me:
The fact that it uses the character set of your current connection to MySQL means that what your escaping function considers to be a single quote is exactly what your database considers to be a single quote. If these things don't match, your escaping function can miss something that your database interprets, opening you up to an SQL injection attack.
This type of attack isn't quite as easy as when someone doesn't escape their data at all, but it's something that can be avoided by using the proper escaping function.
From Derick Rethans (sitting beside me):
Other things are that addslashes() screws up with big-5 (it can contains \'s in multi-byte characters), and mysql_real_escape_string() takes into account charcter sets.
-- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
