Which function should be adopted in escaping string?
Date 2006-05-25 06:34:07 | Category: PHP
|
This is a summary of discussion with ELF about escaping string for SQL.
I recommmend addslashes()
(A) performance (B) compatibility with environments of magic_quotes_gpc=on (C) reverse function exists (D) DB connection free
ELF recommend *_escape_string()
(1) clear the purpose (2) searchable by grep, replacable by sed, easily (3) can follow to change DB engine's spec
I think it stands to reason all of (1)(2)(3).
But I'll use addslashes() instead of mysql_real_escape_string() because I know the escaping rule of addslashes() exactly.
It will be much better to use accustomed tools than unaccustomed tools.
eg) I've just found a SQL Injection in a famous script because of developper's ignorance which ` can't be escaped by addslashes()/mysql_real_escape_string().
|
|