468,505 Members | 1,755 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 468,505 developers. It's quick & easy.

mysql_real_escape_string

If I only escape the characters that mysql_real_escape_string recognizes, is
this adequate protection against SQL injection attacks?

I have read a number of archived posts plus I've read some of the info at
php.net. I am still not convinced as to what to do. The php folks claim that
using mysql_real_escape_string is all that is needed. Then on the other
hand, there is a myriad of opinions about that. I think I am inclined to
side with the php folks.

One thing that bothers me about the mysql_real_escape_string is that it
doesn't escape "--" which is a comment. One justification for this is that
it would have to be delimited with an " ' " before it would have any affect.
But I am not totally sure about that either.

Finally, what does the "real" mean in mysql_real_escape_string?

Mike

----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----
Sep 8 '05 #1
1 1702
Michael G wrote:
If I only escape the characters that mysql_real_escape_string recognizes, is
this adequate protection against SQL injection attacks?

I have read a number of archived posts plus I've read some of the info at
php.net. I am still not convinced as to what to do. The php folks claim that
using mysql_real_escape_string is all that is needed. Then on the other
hand, there is a myriad of opinions about that. I think I am inclined to
side with the php folks.

One thing that bothers me about the mysql_real_escape_string is that it
doesn't escape "--" which is a comment. One justification for this is that
it would have to be delimited with an " ' " before it would have any affect.
But I am not totally sure about that either.

Finally, what does the "real" mean in mysql_real_escape_string?


mysql_real_escape_string obeys the character set being used by the
system, which is always a better method.

Chris Shiflett* has a nice article about SQL injection and PHP over at:
http://shiflett.org/articles/security-corner-apr2004
[*] - Brief about Chris: http://shiflett.org/about

--
Justin Koivisto, ZCE - ju****@koivi.com
http://koivi.com
Sep 8 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

1 post views Thread by leegold2 | last post: by
2 posts views Thread by Marcus | last post: by
9 posts views Thread by frizzle | last post: by
2 posts views Thread by comp.lang.php | last post: by
2 posts views Thread by matthud | last post: by
11 posts views Thread by zach | last post: by
13 posts views Thread by ndlarsen | last post: by
3 posts views Thread by gieforce | last post: by
reply views Thread by fmendoza | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.