5

How does mysql_real_escape_string work? Does it delete mysql functions or add // between mysql function? Is it better than addslashes

Improve this question
3
  • Delete or add what? Yes its better then addslashes. Commented Feb 15, 2011 at 18:26
  • IMO its better to trust, most of the time, something that works than to re-recreate if that's what u are talking about Commented Feb 15, 2011 at 18:30
  • 4
    @user553786: Please go accept some answers on your previously asked question. I'd also suggest you start using punctuation. Commented Feb 15, 2011 at 18:31

2 Answers 2

Reset to default
4

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.

IMO, its better to use this function than attempting to recreate, most of the time.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

When sanitizing database inputs you should always use mysql_real_escape_string over addslashes and other not native PHP functions unless you are using the newer PDO library.

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

Source@ http://php.net/manual/en/function.mysql-real-escape-string.php

You should also be aware that PHP has provided a native Library called PDO which is a class that manages your database sanitization so you do not have to worry to much.

Prepared statements are handled by the database service itself, this increases security and performance over all.

If you wish to implement prepared Statements you would need to learn and incorporate PDO Are another native database abstraction layer.

To implement PDO Click here

To learn more about Prepared Statements Click Here

Improve this answer

6 Comments

Nothing else? Numeric input, they need to be verified as numeric.
that's validation not sanitization
"Only ever rely on this function and nothing else." Or, rely on prepared queries, which are generally better.
Yes, my point is choose real escape over add slashes, Prepared statements are much better but the question was specifically about the native function.
Please clarify your answer then. In its current state it is wrong
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.