News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Ilia Alshanetsky's Blog:
mysql_real_escape_string() versus Prepared Statements
January 23, 2006 @ 06:58:18

Ilia Alshanetsky also has hos own look today at the "mysql_real_escape_string versus addslashes" debate that's going on, looking more at why there's even an issue here (with addslashes).

Chris has written a compelling piece about how the use of addslashes() for string escaping in MySQL queries can lead to SQL injection through the abuse of multibyte character sets. In his example he relies on addslashes() to convert an invalid multibyte sequence into a valid one, which also has an embedded ' that is not escaped. And in an ironic twist, the function intended to protect against SQL injection is used to actually trigger it.

The problem demonstrated, actually goes a bit further, which even makes the prescribed escaping mechanism, mysql_real_escape_string() prone to the same kind of issues affecting addslashes().

He shows code examples, creating a simple SQL injection that uses mysql_real_escape_string to cause the same issue - all based around the default characterset that the MySQL server uses. His suggested solution? Prepared statements... (like what things such as PDO offer)

1 comment voice your opinion now!
addslashes mysql_real_escape_string debate prepared statements addslashes mysql_real_escape_string debate prepared statements


blog comments powered by Disqus

Similar Posts

Wez Furlong\'s Blog: Using PDO MySQL?

Wez Furlong\'s Blog: Using PDO MySQL?

Internet Super Hero Blog: MySQL native driver for PHP: mysqlnd-5.0.1-beta available

Code Yellow Blog: What Your Framework Never Told You About SQL Injection Protection

Ivo Jansch's Blog: Donít use addslashes for database escapes


Community Events

Don't see your event here?
Let us know!


community library xdebug example interview version podcast extension api series opinion voicesoftheelephpant framework conference introduction laravel release symfony2 performance php7

All content copyright, 2015 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework