> I'm currently reading "Building Scalable Web Sites" by Cal Henderson > (which I think is great so far for anyone making large [or potentially > large] web apps). In the section about avoiding sql injection attacks, > he says "the more complicated mysql_real_escape_string escapes a bunch > more characters but is ultimately unnecessary (although useful for > making logs easier to read)." I thought that was interesting - > "ultimately unnecessary."
mysql_real_escape_string takes into consideration the character set which addslashes doesn't. You are safe if you're using ansi-8859 or utf-8, but other character encodings which have valid characters ending in 0x5c will not be properly escaped by addslashes. Chris has an example of this here: http://shiflett.org/archive/184 Carlos Hoyos _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
