mysql_real_escape_string() vs addslashes()

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Marcus
    #1

    mysql_real_escape_string() vs addslashes()

    Hello,

    My php.ini file currently has magic quotes set to On, but I have read
    that it is better to code with it off.

    Currently with magic quotes on, I only use stripslashes() to properly
    format strings that are displayed on the screen. I know that now with
    magic quotes off, I will have to manually handle escaping special
    characters with mysql_real_esca pe_string() or addslashes().

    My question is this... from what I can gather on php.net and some other
    sources, mysql_real_esca pe_string() is better than addslashes(), so am I
    correct in saying that I don't ever need to use addslashes()?

    I know I need to use one of these functions when formatting queries to
    MySQL to prevent SQL injection attacks, but how about when I am just
    dealing with variables in $_POST, $_GET, and $_SESSION? With magic
    quotes on, when I perform a SELECT and a row has a single quote in the
    result, for example, magic quotes will automatically add a \ to the
    value. Is there any security risk or other drawback in not escaping out
    special characters that I am just working with in the code, and then
    formatting everything right before sending to the database?

    Thanks a lot in advance.
    Tags: None
    • Erwin Moller
      #2
      Re: mysql_real_esca pe_string() vs addslashes()

      Marcus wrote:

      Hi Marcus,
      [color=blue]
      > Hello,
      >
      > My php.ini file currently has magic quotes set to On, but I have read
      > that it is better to code with it off.[/color]

      Why is that?
      I think you should decide for yourself what you like the best.
      You can always just overrule the ini-settings by:
      ini_set("magic_ quotes_gpc" , "1");

      Are you maybe confusing magic_quotes_gp c with magic_quotes_ru ntime?
      [color=blue]
      >
      > Currently with magic quotes on, I only use stripslashes() to properly
      > format strings that are displayed on the screen. I know that now with
      > magic quotes off, I will have to manually handle escaping special
      > characters with mysql_real_esca pe_string() or addslashes().[/color]

      yes.
      [color=blue]
      >
      > My question is this... from what I can gather on php.net and some other
      > sources, mysql_real_esca pe_string() is better than addslashes(), so am I
      > correct in saying that I don't ever need to use addslashes()?[/color]

      I am unsure why the former is better, but if you only use the POST/GET data
      on mySQL, yes: you do not need to add or strip slashes, you could just use
      mysql_real_esca pe_string() .

      [color=blue]
      >
      > I know I need to use one of these functions when formatting queries to
      > MySQL to prevent SQL injection attacks, but how about when I am just
      > dealing with variables in $_POST, $_GET, and $_SESSION?[/color]

      If you are getting data from POST/GET/COOKIE, you need to look at
      magic_quotes_gp c.

      If you want data coming from queries to be escaped, use
      magic_quotes_ru ntime.

      I don't think the last one is very handy in most situations..
      I always turn it off.

      With magic[color=blue]
      > quotes on, when I perform a SELECT and a row has a single quote in the
      > result, for example, magic quotes will automatically add a \ to the
      > value. Is there any security risk or other drawback in not escaping out
      > special characters that I am just working with in the code, and then
      > formatting everything right before sending to the database?
      >
      > Thanks a lot in advance.[/color]

      Well, have a look at BOTH magic_quotes functions, and your confusion will
      disappear. :-)

      Regards and good luck!

      Erwin Moller

        Comment

        • Justin Koivisto
          #3
          Re: mysql_real_esca pe_string() vs addslashes()

          Marcus wrote:[color=blue]
          > Hello,
          >
          > My php.ini file currently has magic quotes set to On, but I have read
          > that it is better to code with it off.
          >
          > Currently with magic quotes on, I only use stripslashes() to properly
          > format strings that are displayed on the screen. I know that now with
          > magic quotes off, I will have to manually handle escaping special
          > characters with mysql_real_esca pe_string() or addslashes().
          >
          > My question is this... from what I can gather on php.net and some other
          > sources, mysql_real_esca pe_string() is better than addslashes(), so am I
          > correct in saying that I don't ever need to use addslashes()?
          >
          > I know I need to use one of these functions when formatting queries to
          > MySQL to prevent SQL injection attacks, but how about when I am just
          > dealing with variables in $_POST, $_GET, and $_SESSION? With magic
          > quotes on, when I perform a SELECT and a row has a single quote in the
          > result, for example, magic quotes will automatically add a \ to the
          > value. Is there any security risk or other drawback in not escaping out
          > special characters that I am just working with in the code, and then
          > formatting everything right before sending to the database?
          >
          > Thanks a lot in advance.[/color]

          If you are only concerned with MySQL queries, then *only* use
          mysql_real_esca pe_string.

          It escapes special characters in the string using the current character
          set of the connection. If you want to use binary data in your query, you
          will definately need this function as well. PHP's
          mysql_real_esca pe_string uses MySQL's library function
          mysql_real_esca pe_string.

          The same holds true for all database systems when working with PHP. If
          there is a "native" escaping function, you should use that and only use
          addslashes as a last resort.

          addslashes only adds a backslash for the following characters:
          * single quote (')
          * double quote (")
          * backslash (\)
          * NUL (the NULL byte).

          mysql_real_esca pe_string escapes the folowing characters:
          * \x00
          * \n
          * \r
          * \
          * '
          * "
          * \x1a

          HTH.

          --
          Justin Koivisto, ZCE - justin@koivi.co m
          Temporarily Disabled | Koivi.com
          http://koivi.com

            Comment

            Previous template Next
            Working...