So are their any real tangible advantages to mysql_real_escape_string as
opposed to addslashes?
-Brian
Rob Marscher wrote:
> A side note here about mysql_real_escape_string - curious if anyone is
> an expert on this... In that last year, I switched over from using
> addslashes to using mysql_real_escape_string to escape strings in sql
> statements because it's the 'right thing to do.'
>
> I'm currently reading "Building Scalable Web Sites" by Cal Henderson
> (which I think is great so far for anyone making large [or potentially
> large] web apps). In the section about avoiding sql injection attacks,
> he says "the more complicated mysql_real_escape_string escapes a bunch
> more characters but is ultimately unnecessary (although useful for
> making logs easier to read)." I thought that was interesting -
> "ultimately unnecessary."
>
> Although I guess this argument will be moot as soon as people move to
> php 5/mysql 5, as prepared statements seem to be the way to go there.
>
> -Rob
>
> csnyder wrote:
>> On 10/30/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>>
>>> [...]
>>> //Add new customer to database
>>> function AddNewCustomer($FirstName, $LastName, $Address,
>>> $City, $State, $ZipCode,
>>> $AreaCode, $Phone, $Email,
>>> $WebsiteURL, $LoginName, $Password
>>> )
>>> {
>>> $query = 'INSERT INTO Customer_Info (FirstNameCol,
>>> LastNameCol, AddressCol, CityCol, StateCol,
>>> ZipCodeCol, AreaCodeCol, PhoneCol,
>>> EmailCol, WebsiteURLCol,
>>> LoginNameCol, PasswordCol
>>> )
>>> VALUES ("'. $FirstName . '", "' . $LastName . '",
>>> "' . $Address . '", "' . $City . '",
>>> "' . $State . '", "' . $ZipCode . '",
>>> "' . $AreaCode . '", "' . $Phone . '",
>>> "' . $Email . '",
>>> "' . $WebsiteURL . '", "' . $LoginName . '",
>>> "' . SHA1($Password) . '")';
>>> }
>>>
>>> Feel free to correct my code and give suggestions for better techniques.
>>>
>>>
>> Hi Paul,
>>
>> You always need to escape each of the user submitted values in your
>> SQL, in order to prevent breakage and security vulnerabilities. The
>> mysql_real_escape_string() function is the recommended way to do this.
>>
>> function dbEsc( $value ) {
>> return mysql_real_escape_string( $value );
>> }
>>
>> function AddNewCustomer( $FirstName ) {
>> $query = 'INSERT INTO Customer_Info ( FirstNameCol )
>> VALUES ("'. dbEsc($FirstName) . '")';
>> return mysql_query($query);
>> }
>>
>> This is one of the two fundamental rules of secure web programming
>> with php (the other being that you always escape output values using
>> htmlentities()).
>>
>>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
>
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
