Dan Cech wrote: > What you're failing to consider here is the character set of the active > mysql connection. Correct me if I'm wrong, but it is my understanding > that mysql_real_escape_string does not incur an extra trip to the > database, the escaping still occurs within php, but it takes into > account the character set of the active connection. > You probably know this better than I do, but in any case, you need to have a connection established otherwise mysql_real_escape_string throws an error. That means that something is going back and forth to the db engine at some point, which isn't a big deal if one needs the connection anyway. Addslashes doesn't need anything.
> This may not seem that important right now, but when you find yourself > wanting/needing to switch to utf8 you'll be glad you used mysql_real_escape. > That was mentioned in a different post and I did not mean to make it appear as if this doesn't happen. > As for how strange characters might get into input, assuming that it > won't happen is just plain bad practice. Of course the enterprising > hacker will find a way to inject these characters, and addslashes will fail. > I also did not mean to advertise using addslashes (I myself stopped doing that), but tried to get some sense into the "ultimately unnecessary" that was brought up by Cliff. > When dealing with user input, always use the very best tools you have > available to you, because the one corner you cut will be the chink in > your application's armor. > > Dan I wholeheartedly agree with this. David K. _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
