News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Ilia Alshanetsky's Blog:
mysql_real_escape_string() versus Prepared Statements
January 23, 2006 @ 06:58:18

Ilia Alshanetsky also has hos own look today at the "mysql_real_escape_string versus addslashes" debate that's going on, looking more at why there's even an issue here (with addslashes).

Chris has written a compelling piece about how the use of addslashes() for string escaping in MySQL queries can lead to SQL injection through the abuse of multibyte character sets. In his example he relies on addslashes() to convert an invalid multibyte sequence into a valid one, which also has an embedded ' that is not escaped. And in an ironic twist, the function intended to protect against SQL injection is used to actually trigger it.

The problem demonstrated, actually goes a bit further, which even makes the prescribed escaping mechanism, mysql_real_escape_string() prone to the same kind of issues affecting addslashes().

He shows code examples, creating a simple SQL injection that uses mysql_real_escape_string to cause the same issue - all based around the default characterset that the MySQL server uses. His suggested solution? Prepared statements... (like what things such as PDO offer)

1 comment voice your opinion now!
addslashes mysql_real_escape_string debate prepared statements addslashes mysql_real_escape_string debate prepared statements


blog comments powered by Disqus

Similar Posts

Wez Furlong\'s Blog: Using PDO MySQL?

Community News: The Rev=Canonical Debate

Helgi\'s Blog: Clash of the Titans

DevShed: Working with Prepared Queries with PDO Objects in PHP 5

Ilia Alshanetsky\'s Blog: mysql_real_escape_string() versus Prepared Statements


Community Events





Don't see your event here?
Let us know!


threedevsandamaybe opinion list interview developer framework testing wordpress configure series podcast install introduction code release laravel community unittest refactor language

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework