To quote "Jonathan"

Well, mysql_real_escape_string doesn't protect against sql injections more
than addslashes, but that's not the reason you use it. addslashes() was from
the developers of PHP whereas mysql_real_escape_string uses the underlying
MySQL C++ API (i.e. from the developers of MySQL). mysql_real_escape_string
escapes EOF chars, quotes, backslashes, carriage returns, nulls, and line
feeds. There is also the charset aspect.

However, it is a common thought among a lot of PHP programmers (beginning
and even more advanced) that SQL injections are the only thing to guard
against with sanitizing user input using it in a query. That, actually, is
incorrect. If you only rely on *_escape_string and addslashes because you
are only thinking about injections, you leave yourself vulnerable to attacks
from users.
It's a nice read, especially if you like reading articles about PHP
programming (*guilty*). Scroll down to page 78 where they talk about LIKE

Richard L. Buskirk

-----Original Message-----
From: Jason Pruim [] 
Sent: Wednesday, May 18, 2011 9:19 PM
Subject: [PHP] Filtering data not with mysql...

Hey Everyone,

Probably a simple question but I wanted to make sure I was right  
before I got to far ahead of my self....

I have a form that I am working on and this form will be emailed to  
the recipient for processing (Not stored in a database).

When I store in a database, I simply run all the data through  
mysql_real_escape_string() and it's all good...  Without the database,  
is it just as easy as addslashes($var)? or is there more that needs to  
be done?

In the end, the info will be echoed back out to the user to be viewed  
but not edited and emailed to someone to add the registration collect  
money, etc etc.

Am I on the right track or do I need to rethink my whole process? :)

Thanks Everyone!

PHP General Mailing List (
To unsubscribe, visit:

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to