addslashes/mysql_real_escape_string
This is a discussion on addslashes/mysql_real_escape_string within the PHP Language forums, part of the PHP Programming Forums category; ..oO(ndlarsen) >> The best solution though is to use PDO and prepared statements. > >You sort of ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-27-2008
|
|||
|
|||
Re: addslashes/mysql_real_escape_string
..oO(ndlarsen)
>> The best solution though is to use PDO and prepared statements. > >You sort of lost me here. See the PDO section in the PHP manual. It's really not that complicated, but much more powerful and flexible. Micha 
|
|
03-27-2008
|
|||
|
|||
|
Re: addslashes/mysql_real_escape_string
Jerry Stuckle wrote:
> Read up on mysql_real_escape_string(). It does modify the data as it's > being sent to the database - but the data is modified in a predictable > way (i.e. to take care of embedded quotes, etc.). The result when > retrieved from the database is just as you put it in there. > Add databases require some modification of the data to store special > characters. But if you do the modification properly, the data is > retrieved without modification. MySQL has a function which does this > for you; some others don't. Right, I think I got it now. Some of the testing code I used made it appear as if the string was automatically stripped of backslashes when I retrieved it from the database/table. If I run mysql_real_escape_string() on a string prior to inserting it into a database/table, it is submitted to the database modified (with backslashes escaping special characters). If I retrieve that same string from the database/table, it is still modified and I need to strip the string of the backslashes, perhaps with stripslashes()? Thank you. Regards ndlarsen
|
|
03-27-2008
|
|||
|
|||
|
Re: addslashes/mysql_real_escape_string
On Mar 27, 9:39*am, ndlarsen <use...@ionline.dk> wrote:
> Hello. > > It's been a while since I used php. Since then magic quotes has been > deprecated and will be removed when php 6.0 hits. My question is, what > should I be using when submitting data to a database instead? Which is > better for security reasons, addslashes() or mygql_real_escape_string()? > > Thanks you. > > Regards > > ndlarsen I don't want to go offtopic, but mysql_real_escape_string serously leaks memory for me. Using MDB2's quote function it runs out of my allowed 200MB in a minute. If I just comment out mysql_real_escape_string inside the escape function there is no leak. Any idea?
|
|
03-28-2008
|
|||
|
|||
|
Re: addslashes/mysql_real_escape_string
In our last episode, <47ec1aef$0$90266$14726298@news.sunsite.dk>, the lovely
and talented ndlarsen broadcast on comp.lang.php: > If I run mysql_real_escape_string() on a string prior to inserting it > into a database/table, it is submitted to the database modified (with > backslashes escaping special characters). If I retrieve that same string > from the database/table, it is still modified and I need to strip the > string of the backslashes, perhaps with stripslashes()? No. The database will handle this. One of the reasons mysql_real_escape_string requires a database link is so that it can properly escape the string in light of the database character set. Mysql_real_escape_string provides data in a form the database can understand. In fact, the database stores that data by a somewhat different escape scheme and undoes its escapes when it returns data. -- Lars Eighner <http://larseighner.com/> usenet@larseighner.com Countdown: 298 days to go.
|
|
03-28-2008
|
|||
|
|||
|
Re: addslashes/mysql_real_escape_string
I appreciate your help and patience, I really do. I got it now, it
seemed that I messed something up big time in my test scripts which caused me to believe that things were otherwise. After flushing the table and starting over things made more sense to me. Thanks yet again. ndlarsen
|
|
03-28-2008
|
|||
|
|||
|
Re: addslashes/mysql_real_escape_string
ndlarsen wrote:
> Jerry Stuckle wrote: >> Read up on mysql_real_escape_string(). It does modify the data as >> it's being sent to the database - but the data is modified in a >> predictable way (i.e. to take care of embedded quotes, etc.). The >> result when retrieved from the database is just as you put it in there. > >> Add databases require some modification of the data to store special >> characters. But if you do the modification properly, the data is >> retrieved without modification. MySQL has a function which does this >> for you; some others don't. > > Right, I think I got it now. Some of the testing code I used made it > appear as if the string was automatically stripped of backslashes when I > retrieved it from the database/table. > If I run mysql_real_escape_string() on a string prior to inserting it > into a database/table, it is submitted to the database modified (with > backslashes escaping special characters). If I retrieve that same string > from the database/table, it is still modified and I need to strip the > string of the backslashes, perhaps with stripslashes()? > > Thank you. > > Regards > > ndlarsen > No. mysql_real_escape_string() only modifies the string for storage in the database (and no, it does not do the same thing as addslashes()). What you retrieve from the database will be identical to what you had before calling mysql_real_escape_string(). -- ================== Remove the "x" from my email address Jerry Stuckle JDS Computer Training Corp. jstucklex@attglobal.net ==================
|
|
03-28-2008
|
|||
|
|||
|
Re: addslashes/mysql_real_escape_string
Gabest wrote:
> On Mar 27, 9:39 am, ndlarsen <use...@ionline.dk> wrote: >> Hello. >> >> It's been a while since I used php. Since then magic quotes has been >> deprecated and will be removed when php 6.0 hits. My question is, what >> should I be using when submitting data to a database instead? Which is >> better for security reasons, addslashes() or mygql_real_escape_string()? >> >> Thanks you. >> >> Regards >> >> ndlarsen > > I don't want to go offtopic, but mysql_real_escape_string serously > leaks memory for me. Using MDB2's quote function it runs out of my > allowed 200MB in a minute. If I just comment out > mysql_real_escape_string inside the escape function there is no leak. > Any idea? > I have never had a memory leak from mysql_real_escape_string(). What version are you running? -- ================== Remove the "x" from my email address Jerry Stuckle JDS Computer Training Corp. jstucklex@attglobal.net ==================
|
|
03-30-2008
|
|||
|
|||
|
Re: addslashes/mysql_real_escape_string
> I have never had a memoryleakfrom mysql_real_escape_string(). *What
> version are you running? 5.2.5, but I'm not sure where to report this, mysql, php or pear :) I managed to narrow it down to a simple repro, it only happens if I pass a simplexml node to this function, which is actually an object. If I cast it to string or something then it's working fine.
|
|
03-30-2008
|
|||
|
|||
|
Re: addslashes/mysql_real_escape_string
Gabest wrote:
>> I have never had a memoryleakfrom mysql_real_escape_string(). What >> version are you running? > > 5.2.5, but I'm not sure where to report this, mysql, php or pear :) I > managed to narrow it down to a simple repro, it only happens if I pass > a simplexml node to this function, which is actually an object. If I > cast it to string or something then it's working fine. > mysql_real_escape_string() is not meant to be taking objects. It requires a string. If you want to do this, you need a __tostring() method in your class to convert to a string. Or, if you want to bring it back out into a string later, you should first serialize() the object, then after retrieval, unserialize() it. -- ================== Remove the "x" from my email address Jerry Stuckle JDS Computer Training Corp. jstucklex@attglobal.net ==================
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 03:30 AM.
