addslashes()/mysql_real_escape_string()

[br0ken]

Up untill now I've used a combination of strip_tags() and addslashes() to secure data before putting it into a SQL query. After coming on here recently I've been reading a lot about how this is not the way to go and I should be using mysql_real_escape_string() instead.

 

My questions are can addslashes() be fooled and if so how? Also, with my current validation techniques (addslashes(), strip_tags()) am I open to SQL injection?

 

Thanks in advance!

[rhodesa]

This is a great site describing the details of all your options:

 

http://cognifty.com/index.php/blog.entry/id=6/addslashes_dont_call_it_a_comeback.html

 

Personally, I always use mysql_real_escape_string(). If I was in an environment where I was using it hundreds of times per second, I would probably use some of the code in the URL above. But, since I don't, I just use mysql_real_escape_string()

 

As for strip_tags(), that has no bearing on SQL injection (if you use mysql_real_escape_string). But, if you want to strip the tags out, go for it. Where strip_tags comes into play is when you are displaying that text back on your site. Running the text through htmlspecialchars() when printing will keep 'tags' from being evaluated by the persons browser.

[br0ken]

Thanks for the link. I've read through it but it doesn't clearly state whether or not addslashes() can be fooled. If it can be fooled even in the slightest then it's totally flawed and I'll have to replace it with mysql_real_escape_string().

 

Anyone got any knowledge on this?

[DarkWater]

All that it does is escape ' and " pretty much, which is not good enough for SQL queries, which need to have other things escaped, like ; because they have significant value in a query.