I remember this exact question and I thought jonathan gave the best 
He suggested the addcslashes function in combination with the 
This is a good read and the function was updated as recent as 5.2.5.
Please pay close attention to the name it is a C-like function not the normal 

$sub = addcslashes(mysql_real_escape_string("%something_"), "%_");

He goes on to explain that mysql_real_escape_string and addslashes do NOT 
protect against this next example.

$sub = mysql_real_escape_string("%something"); // still %something 
mysql_query("SELECT * FROM messages WHERE subject LIKE '{$sub}%'");

And recommends the following.

$sub = addcslashes(mysql_real_escape_string("%something_"), "%_"); 
// $sub == \%something\_ 
mysql_query("SELECT * FROM messages WHERE subject LIKE '{$sub}%'");

I understand you are not going to insert into a database at this time. 
But you did state you are going to email the contents and I would take the same 
precautions with user input fields. 

Only a suggestion I hope this helps.

Richard L. Buskirk

-----Original Message-----
From: Andre Polykanine [] 
Sent: Thursday, May 19, 2011 7:38 AM
Cc: 'Jason Pruim';
Subject: Re: [PHP] Filtering data not with mysql...

Hi Richard,

Oh my... I hate those pdf's :-((
Could  someone  tell  me  in  some  words  what do I need to do beside
mysql_real_escape_string() and Html input sanitizing?
Thanks and sorry for the inconvenience)

With best regards from Ukraine,
Skype: Francophile
My blog: (mostly in Russian)

------------ Original message ------------
From: <>
To: 'Jason Pruim'
Date created: , 4:17:55 AM
Subject: [PHP] Filtering data not with mysql...

      To quote "Jonathan"

Well, mysql_real_escape_string doesn't protect against sql injections more
than addslashes, but that's not the reason you use it. addslashes() was from
the developers of PHP whereas mysql_real_escape_string uses the underlying
MySQL C++ API (i.e. from the developers of MySQL). mysql_real_escape_string
escapes EOF chars, quotes, backslashes, carriage returns, nulls, and line
feeds. There is also the charset aspect.

However, it is a common thought among a lot of PHP programmers (beginning
and even more advanced) that SQL injections are the only thing to guard
against with sanitizing user input using it in a query. That, actually, is
incorrect. If you only rely on *_escape_string and addslashes because you
are only thinking about injections, you leave yourself vulnerable to attacks
from users.
It's a nice read, especially if you like reading articles about PHP
programming (*guilty*). Scroll down to page 78 where they talk about LIKE

Richard L. Buskirk

-----Original Message-----
From: Jason Pruim [] 
Sent: Wednesday, May 18, 2011 9:19 PM
Subject: [PHP] Filtering data not with mysql...

Hey Everyone,

Probably a simple question but I wanted to make sure I was right  
before I got to far ahead of my self....

I have a form that I am working on and this form will be emailed to  
the recipient for processing (Not stored in a database).

When I store in a database, I simply run all the data through  
mysql_real_escape_string() and it's all good...  Without the database,  
is it just as easy as addslashes($var)? or is there more that needs to  
be done?

In the end, the info will be echoed back out to the user to be viewed  
but not edited and emailed to someone to add the registration collect  
money, etc etc.

Am I on the right track or do I need to rethink my whole process? :)

Thanks Everyone!

PHP General Mailing List (
To unsubscribe, visit:

PHP General Mailing List (
To unsubscribe, visit:

PHP General Mailing List (
To unsubscribe, visit:

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to