News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Ilia Alshanetsky's Blog:
mysql_real_escape_string() versus Prepared Statements
January 23, 2006 @ 06:58:18

Ilia Alshanetsky also has hos own look today at the "mysql_real_escape_string versus addslashes" debate that's going on, looking more at why there's even an issue here (with addslashes).

Chris has written a compelling piece about how the use of addslashes() for string escaping in MySQL queries can lead to SQL injection through the abuse of multibyte character sets. In his example he relies on addslashes() to convert an invalid multibyte sequence into a valid one, which also has an embedded ' that is not escaped. And in an ironic twist, the function intended to protect against SQL injection is used to actually trigger it.

The problem demonstrated, actually goes a bit further, which even makes the prescribed escaping mechanism, mysql_real_escape_string() prone to the same kind of issues affecting addslashes().

He shows code examples, creating a simple SQL injection that uses mysql_real_escape_string to cause the same issue - all based around the default characterset that the MySQL server uses. His suggested solution? Prepared statements... (like what things such as PDO offer)

1 comment voice your opinion now!
addslashes mysql_real_escape_string debate prepared statements addslashes mysql_real_escape_string debate prepared statements


blog comments powered by Disqus

Similar Posts

Ilia Alshanetsky\'s Blog: mysql_real_escape_string() versus Prepared Statements

PHP Town Hall: Episode 22: The Great Joomla! License Battle of 2014

Ilia Alshanetsky\'s Blog: mysql_real_escape_string() versus Prepared Statements

DevShed: Working with Prepared Queries with PDO Objects in PHP 5

Code Yellow Blog: What Your Framework Never Told You About SQL Injection Protection


Community Events





Don't see your event here?
Let us know!


tips introduction podcast series framework release opinion install package api symfony zendserver community update laravel deployment interview unittest library language

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework