Why use mysql_real_escape_string, does it hurt to prevent this?

Question

Why use mysql_real_escape_string, does it hurt to prevent this?

I was looking through documents and came across mysql_real_escape_string () and I don't understand why it is useful when you can just addlashes (). Can someone show me the script why it is useful?

I am also wondering why this requires a database connection ... this seems like a lot of overhead.

+3

security php

Webnet Mar 29 '10 at 18:51

source share

2 answers

mysql_real_escape_string() addslashes() ( xss xsrf?), , , SQL Injection.

, SQL-:

mysql_query("select * from user where id=".mysql_real_escape_string($_GET[id]));

Exploit:

http://localhost/test.php?id=1 or sleep(50)

:

mysql_query("select * from user where id='".mysql_real_escape_string($_GET[id])."'");

ADODB PDO, , .

+2

rook 29 . '10 21:34

karlipoppins · Accepted Answer · 2010-03-29T18:56:40+0000

There is a wonderful article here. And this discussion also points to the pros and cons of each decision.

addslashes() PHP, mysql_real_escape_string MySQL ++ API (.. MySQL). mysql_real_escape_string escapes EOF , , , , nulls . .

Why use mysql_real_escape_string, does it hurt to prevent this?

More articles: