Which function should be adopted in escaping string?
Date 2006-05-25 06:34:07 | Category: PHP
|
 
This is a summary of discussion with ELF about escaping string for SQL.
I recommmend addslashes()
(A) performance
(B) compatibility with environments of magic_quotes_gpc=on
(C) reverse function exists
(D) DB connection free
ELF recommend *_escape_string()
(1) clear the purpose
(2) searchable by grep, replacable by sed, easily
(3) can follow to change DB engine's spec
I think it stands to reason all of (1)(2)(3).
But I'll use addslashes() instead of mysql_real_escape_string() because I know the escaping rule of addslashes() exactly.
It will be much better to use accustomed tools than unaccustomed tools.
eg) I've just found a SQL Injection in a famous script because of developper's ignorance which ` can't be escaped by addslashes()/mysql_real_escape_string().
|
|