Dotan Cohen wrote:
So far as I understand mysql_real_escape_string() was invented because
addslashes() is not adequate.

Correct, addslashes() works fine for latin1 (single byte encoding) but does not work properly when used with a multibyte encoded string. That is most likely the reason why mysql_real_escape_string() checks the encoding before escaping so it can do the right thing for the used encoding.

Here is a quote from the description of a forum SQL injection exploit:
"Addslashes simply adds a backslash (0x5c) before single quote ('), double quote ("), backslash (\) and NUL (the NULL byte), without checking if the added blackslash creates another char.

Bytes in Input   0xa327
Addslashes(Bytes in Input)   0xa35c27                                           

In big5, but also in other multibyte charsets, 0xa35c is a valid char: 0x27 (') is left alone."

No Victim, No Crime

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to