Really you should use mysql_escape_string when cleansing input for the database That's PHPs native function. I can't understand why everyone is using addslashes still (myself included )
So basically as long as you are using something as input into an SQL query, it would be good to use mysql_real_escape_string() first, regardless of whether it is a Insert, Select or whatever kind of query ?
This function will escape special characters in the unescaped_string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query(). If binary data is to be inserted, this function must be used.
mysql_real_escape_string() calls MySQL's library function mysql_escape_string, which prepends backslashes to the following characters: NULL, \x00, \n, \r, \, ', " and \x1a.
This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.
Really you should use mysql_escape_string when cleansing input for the database That's PHPs native function. I can't understand why everyone is using addslashes still (myself included )
You are saying Addslashes is not a native PHP function?
AFAIK they are both native and almost identical (not mysql_real.. because that one also uses the database connection to take the character set used in account).
mysql_(real_)escape_string can be used since PHP 4.0.3, where addslashes was already available since PHP 3.
I want to know whether I should use mysql_real or keep using addslashes. Someone give me a definite "this or that" answer, or else someone will be in much pain
Sorry I was tired last night when I made that post. I meant mysql_real_escape_string, and that addslashes won't properly escape everything pasted to an SQL query like mysql_real_escape_string will
03-24-2005, 11:59 PM
That's PHPs native function. I can't understand why everyone is using addslashes still (myself included 
)
Linear Mode
