On Fri, May 13, 2005 12:51 am, Marek Kilimajer said:
Richard Lynch wrote:
On Thu, May 12, 2005 4:43 pm, Chris Shiflett said:
From me:
The fact that it uses the character set of your current connection to
MySQL means that what your escaping function considers to be a single
quote is exactly
Richard Lynch wrote:
On Fri, May 13, 2005 12:51 am, Marek Kilimajer said:
Richard Lynch wrote:
On Thu, May 12, 2005 4:43 pm, Chris Shiflett said:
From me:
The fact that it uses the character set of your current connection to
MySQL means that what your escaping function considers to be a single
Richard Lynch wrote:
On Thu, May 12, 2005 4:43 pm, Chris Shiflett said:
From me:
The fact that it uses the character set of your current connection to
MySQL means that what your escaping function considers to be a single
quote is exactly what your database considers to be a single quote. If
these
On Wed, May 11, 2005 8:58 pm, Jason Wong said:
Well put it this way, addslashes() was not meant to make data safe for
mysql, it just happened to work. Now there is a better/official/whatever
alternative why not use it?
Actually, unless I'm very much mistaken about why addslashes() was
written,
On Wed, May 11, 2005 8:27 pm, James Williams said:
On 5/11/05, Richard Lynch [EMAIL PROTECTED] wrote:
Is mysql_real_escape_string *DIFFERENT* in some incredibly huge secure
way
that I want to stop working on all my current projects to go re-write
the
10,000,000 lines of code?
2 words:
-Original Message-
From: Richard Lynch [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 12, 2005 8:47 AM
I'd bet a dollar that if the MySQL C Client library changed what needs
escaping, addslashes would change with it.
Ehhh? I think not. Let´s let a mindgame (can´t spell hypo..whatever
I'm pretty sure that, in order to use mysql_real_escape_string() you
must have magic quotes off or use stripslashes first... the same as
addslashes, so it should work if you just search and replace. Don't
quote me on that though
On 5/12/05, Richard Lynch [EMAIL PROTECTED] wrote:
On Wed, May 11,
On Thu, May 12, 2005 12:39 pm, James Williams said:
I'm pretty sure that, in order to use mysql_real_escape_string() you
must have magic quotes off or use stripslashes first... the same as
addslashes, so it should work if you just search and replace. Don't
quote me on that though
Well, yes,
I couldn't tell you the technicals of it, but just from the php documentation:
This function must always (with few exceptions) be used to make data
safe before sending a query to MySQL.
On 5/12/05, Richard Lynch [EMAIL PROTECTED] wrote:
On Thu, May 12, 2005 12:39 pm, James Williams said:
I'm
On Thu, May 12, 2005 1:44 am, Kim Madsen said:
-Original Message-
From: Richard Lynch [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 12, 2005 8:47 AM
I'd bet a dollar that if the MySQL C Client library changed what needs
escaping, addslashes would change with it.
Ehhh? I think not.
Richard Lynch wrote:
It's all very well to repeat these pronouncements from on high that
mysql_real_escape_string is better but I personally would sure
appreciate somebody who's saying this to say *WHY* it is better, and in
precisely what ways it is different from addslashes and/or magic quotes
On Thu, May 12, 2005 4:43 pm, Chris Shiflett said:
From me:
The fact that it uses the character set of your current connection to
MySQL means that what your escaping function considers to be a single
quote is exactly what your database considers to be a single quote. If
these things don't
-- Original message --
From: Richard Lynch [EMAIL PROTECTED]
On Thu, May 12, 2005 4:43 pm, Chris Shiflett said:
From me:
The fact that it uses the character set of your current connection to
MySQL means that what your escaping function considers to be a
I have a related question, many of you have suggested
using addslashes on your variables to prevent SQL
injections, but is it safer to use
mysql_real_escape_string (or mysql_escape_string)?
What is the benefit / cost of using
mysql_real_escape_string rather than addslashes? When
using Postgres i
On Thursday 12 May 2005 06:30, -k. wrote:
I have a related question, many of you have suggested
using addslashes on your variables to prevent SQL
injections, but is it safer to use
mysql_real_escape_string (or mysql_escape_string)?
What is the benefit / cost of using
mysql_real_escape_string
On Wed, May 11, 2005 5:23 pm, Jason Wong said:
But now that mysql_real_escape_string() is available that is what you
ought to use.
But are they REALLY different.
Or, put it this way:
Suppose I have 10,000,000 lines of code that have Magic Quotes on, which
calls addslashes automatically, and I
On 5/11/05, Richard Lynch [EMAIL PROTECTED] wrote:
Is mysql_real_escape_string *DIFFERENT* in some incredibly huge secure way
that I want to stop working on all my current projects to go re-write the
10,000,000 lines of code?
2 words: Search Replace.
--
PHP General Mailing List
On Thursday 12 May 2005 09:57, Richard Lynch wrote:
On Wed, May 11, 2005 5:23 pm, Jason Wong said:
But now that mysql_real_escape_string() is available that is what you
ought to use.
But are they REALLY different.
mysql_real_escape_string() is most certainly different from
18 matches
Mail list logo