Cool... I thought Chris might have something on this. The previous chapter is all about unicode/utf-8 - why you should use it, how you make sure that your input is valid utf-8, etc... so maybe he was making the statement in that context where everything has already been converted to valid utf-8 (and the database uses utf-8 for its tables). Thanks a lot! -Rob
Carlos A Hoyos wrote: >> I'm currently reading "Building Scalable Web Sites" by Cal Henderson >> (which I think is great so far for anyone making large [or potentially >> large] web apps). In the section about avoiding sql injection attacks, >> he says "the more complicated mysql_real_escape_string escapes a bunch >> more characters but is ultimately unnecessary (although useful for >> making logs easier to read)." I thought that was interesting - >> "ultimately unnecessary." >> > > > mysql_real_escape_string takes into consideration the character set which > addslashes doesn't. > > You are safe if you're using ansi-8859 or utf-8, but other character > encodings which have valid characters ending in 0x5c will not be properly > escaped by addslashes. > > Chris has an example of this here: http://shiflett.org/archive/184 > > Carlos Hoyos > > > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php > > _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
