Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Chris Shiflett's Blog:
The addslashes() Versus mysql_real_escape_string() Debate
Jan 23, 2006 @ 07:46:32

In his latest blog entry, Chris Shiflett looks at a debate that's been going for a while now - addslashes() versus mysql_real_escape_string().

Last month, I discussed Google's XSS Vulnerability and provided an example that demonstrates it. I was hoping to highlight why character encoding consistency is important, but apparently the addslashes() versus mysql_real_escape_string() debate continues. Demonstrating Google's XSS vulnerability was pretty easy. Demonstrating an SQL injection attack that is immune to addslashes() is a bit more involved, but still pretty straightforward.

The reminder of the post explains the difference, how how protects you when the other doesn't (addslashes), and a simple example of how something like that could be accomplished, including code...

tagged: addslashes mysql_real_escape_string debate protect sql injection addslashes mysql_real_escape_string debate protect sql injection