473,513 Members | 2,358 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

mysql_real_escape_string

If I only escape the characters that mysql_real_escape_string recognizes, is
this adequate protection against SQL injection attacks?

I have read a number of archived posts plus I've read some of the info at
php.net. I am still not convinced as to what to do. The php folks claim that
using mysql_real_escape_string is all that is needed. Then on the other
hand, there is a myriad of opinions about that. I think I am inclined to
side with the php folks.

One thing that bothers me about the mysql_real_escape_string is that it
doesn't escape "--" which is a comment. One justification for this is that
it would have to be delimited with an " ' " before it would have any affect.
But I am not totally sure about that either.

Finally, what does the "real" mean in mysql_real_escape_string?

Mike

----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----
Sep 8 '05 #1
1 1865
Michael G wrote:
If I only escape the characters that mysql_real_escape_string recognizes, is
this adequate protection against SQL injection attacks?

I have read a number of archived posts plus I've read some of the info at
php.net. I am still not convinced as to what to do. The php folks claim that
using mysql_real_escape_string is all that is needed. Then on the other
hand, there is a myriad of opinions about that. I think I am inclined to
side with the php folks.

One thing that bothers me about the mysql_real_escape_string is that it
doesn't escape "--" which is a comment. One justification for this is that
it would have to be delimited with an " ' " before it would have any affect.
But I am not totally sure about that either.

Finally, what does the "real" mean in mysql_real_escape_string?


mysql_real_escape_string obeys the character set being used by the
system, which is always a better method.

Chris Shiflett* has a nice article about SQL injection and PHP over at:
http://shiflett.org/articles/security-corner-apr2004
[*] - Brief about Chris: http://shiflett.org/about

--
Justin Koivisto, ZCE - ju****@koivi.com
http://koivi.com
Sep 8 '05 #2

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
1
3114
addslashes vs. mysql_real_escape_string
by: leegold2 | last post by:
When I look directly in my db field I see a difference between these two functions. The top line (seebelow) was inserted with addslashes vs. the bottom line where I used mysql_real_escape_string....
PHP
2
7610
mysql_real_escape_string() vs addslashes()
by: Marcus | last post by:
Hello, My php.ini file currently has magic quotes set to On, but I have read that it is better to code with it off. Currently with magic quotes on, I only use stripslashes() to properly...
PHP
9
1985
2 small Q's about mysql_real_escape_string()
by: frizzle | last post by:
Hi groupies, I have 2 small questions, which i really want to be sure about: - does mysql_real_escape_string() prevent any kind of mysq-injection? - can it put escaped quotes etc in the DB, or...
PHP
2
29524
mysql_real_escape_string() cannot connect to database..??
by: comp.lang.php | last post by:
when trying to use the mysql_real_escape_string() function, the following warning occurs: First of all, the user is not 'web' trying to connect to the database, secondly, what is...
PHP
2
2891
mysql_real_escape_string/htmlentities issue
by: matthud | last post by:
<?php //MAKE IT SAFE $chunk = $_POST; $title = $_POST; $url = $_POST; $tags = $_POST; $user = $_POST; $safe_chunk = mysql_real_escape_string(htmlentities($chunk)); $safe_title =...
PHP
11
2717
mysql_real_escape_string()
by: zach | last post by:
I created a comment form which will inserts the comments into a database and displays them immediately. I want to make sure that its safe from users inserting unwanted data into the database or...
PHP
2
3365
mysql_real_escape_string necessary when using prepared statements
by: Pugi! | last post by:
It is by accident that I noticed that I forgot to use mysql_real_escape_string in part of my webapp. I tested input with following text : Hélène 51°56'12'' http://www.mysite.org/folder 3 functions...
PHP
13
3451
addslashes/mysql_real_escape_string
by: ndlarsen | last post by:
Hello. It's been a while since I used php. Since then magic quotes has been deprecated and will be removed when php 6.0 hits. My question is, what should I be using when submitting data to a...
PHP
7
5138
mysql_real_escape_string errror: expects string, resource given.
by: roseple | last post by:
Hi, can anyone please help me why I got this error every I uploaded files. Error: Here is the code on the said warning message: # Gather all required data $name =...
PHP
0
7267
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
7175
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
7391
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
1
7120
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
7542
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
5697
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice
0
3247
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The...
Networking - Hardware / Configuration
1
809
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP
0
466
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us