2012/5/2 Rob Marscher <rmarsc...@beaffinitive.com>: > > On May 2, 2012, at 1:08 PM, Eugenio Tacchini wrote: >> Now, I'm wondering if the DB specific escape functions really give >> additional values respect to addslashes. > > Chris Shiflett's article from 2006 had the best argument I've seen on why > addslashes is not enough to secure your code. > http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
I was following a discussion on stackoverflow and I actually ended up reading exactly that article. I think it's a very good article and yes, he explained the advantage of using mysql-real-escape-string. However, like most of the examples on sql injections I have read, it focus on a user authentication query which (at least the way I use to code) I don't think could be affected. Maybe I'm wrong but when I execute a query looking for a user, I always check if the result is just one row (as expected), if not I produce an error. I am sure there are other examples in which the use of addslashes would be dangerous though. > Keep a copy of your unescaped data. Escape it for inserting into the > database. Then take the original unescaped data and do what else you need > with it. If you're ouputting to html, you need to run something like the > following on each variable you output: > > echo htmlspecialchars((string) $var, ENT_QUOTES, 'UTF-8'); Yes, I know this is the best practice but changing an old application is not easy so I was trying to find something having less code impact. Cheers, ------------------ Eugenio Tacchini dadabik.org DaDaBIK database front-end _______________________________________________ New York PHP User Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/show-participation
