468,505 Members | 1,601 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 468,505 developers. It's quick & easy.

mysql_real_escape_string() vs addslashes()

Hello,

My php.ini file currently has magic quotes set to On, but I have read
that it is better to code with it off.

Currently with magic quotes on, I only use stripslashes() to properly
format strings that are displayed on the screen. I know that now with
magic quotes off, I will have to manually handle escaping special
characters with mysql_real_escape_string() or addslashes().

My question is this... from what I can gather on php.net and some other
sources, mysql_real_escape_string() is better than addslashes(), so am I
correct in saying that I don't ever need to use addslashes()?

I know I need to use one of these functions when formatting queries to
MySQL to prevent SQL injection attacks, but how about when I am just
dealing with variables in $_POST, $_GET, and $_SESSION? With magic
quotes on, when I perform a SELECT and a row has a single quote in the
result, for example, magic quotes will automatically add a \ to the
value. Is there any security risk or other drawback in not escaping out
special characters that I am just working with in the code, and then
formatting everything right before sending to the database?

Thanks a lot in advance.
Nov 3 '05 #1
2 7217
Marcus wrote:

Hi Marcus,
Hello,

My php.ini file currently has magic quotes set to On, but I have read
that it is better to code with it off.
Why is that?
I think you should decide for yourself what you like the best.
You can always just overrule the ini-settings by:
ini_set("magic_quotes_gpc" , "1");

Are you maybe confusing magic_quotes_gpc with magic_quotes_runtime?

Currently with magic quotes on, I only use stripslashes() to properly
format strings that are displayed on the screen. I know that now with
magic quotes off, I will have to manually handle escaping special
characters with mysql_real_escape_string() or addslashes().
yes.

My question is this... from what I can gather on php.net and some other
sources, mysql_real_escape_string() is better than addslashes(), so am I
correct in saying that I don't ever need to use addslashes()?
I am unsure why the former is better, but if you only use the POST/GET data
on mySQL, yes: you do not need to add or strip slashes, you could just use
mysql_real_escape_string() .


I know I need to use one of these functions when formatting queries to
MySQL to prevent SQL injection attacks, but how about when I am just
dealing with variables in $_POST, $_GET, and $_SESSION?
If you are getting data from POST/GET/COOKIE, you need to look at
magic_quotes_gpc.

If you want data coming from queries to be escaped, use
magic_quotes_runtime.

I don't think the last one is very handy in most situations..
I always turn it off.

With magic quotes on, when I perform a SELECT and a row has a single quote in the
result, for example, magic quotes will automatically add a \ to the
value. Is there any security risk or other drawback in not escaping out
special characters that I am just working with in the code, and then
formatting everything right before sending to the database?

Thanks a lot in advance.


Well, have a look at BOTH magic_quotes functions, and your confusion will
disappear. :-)

Regards and good luck!

Erwin Moller
Nov 3 '05 #2
Marcus wrote:
Hello,

My php.ini file currently has magic quotes set to On, but I have read
that it is better to code with it off.

Currently with magic quotes on, I only use stripslashes() to properly
format strings that are displayed on the screen. I know that now with
magic quotes off, I will have to manually handle escaping special
characters with mysql_real_escape_string() or addslashes().

My question is this... from what I can gather on php.net and some other
sources, mysql_real_escape_string() is better than addslashes(), so am I
correct in saying that I don't ever need to use addslashes()?

I know I need to use one of these functions when formatting queries to
MySQL to prevent SQL injection attacks, but how about when I am just
dealing with variables in $_POST, $_GET, and $_SESSION? With magic
quotes on, when I perform a SELECT and a row has a single quote in the
result, for example, magic quotes will automatically add a \ to the
value. Is there any security risk or other drawback in not escaping out
special characters that I am just working with in the code, and then
formatting everything right before sending to the database?

Thanks a lot in advance.


If you are only concerned with MySQL queries, then *only* use
mysql_real_escape_string.

It escapes special characters in the string using the current character
set of the connection. If you want to use binary data in your query, you
will definately need this function as well. PHP's
mysql_real_escape_string uses MySQL's library function
mysql_real_escape_string.

The same holds true for all database systems when working with PHP. If
there is a "native" escaping function, you should use that and only use
addslashes as a last resort.

addslashes only adds a backslash for the following characters:
* single quote (')
* double quote (")
* backslash (\)
* NUL (the NULL byte).

mysql_real_escape_string escapes the folowing characters:
* \x00
* \n
* \r
* \
* '
* "
* \x1a

HTH.

--
Justin Koivisto, ZCE - ju****@koivi.com
http://koivi.com
Nov 3 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

1 post views Thread by leegold2 | last post: by
reply views Thread by Bob Bedford | last post: by
4 posts views Thread by Jan Pieter Kunst | last post: by
2 posts views Thread by comp.lang.php | last post: by
7 posts views Thread by Paul Furman | last post: by
13 posts views Thread by ndlarsen | last post: by
reply views Thread by NPC403 | last post: by
3 posts views Thread by gieforce | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.