micmania1 Posted October 11, 2008 Share Posted October 11, 2008 Hi, i've looked around the web for reasons to use either mysql_real_escape_string or addslashes and both have vulnrabilities. I want to use addslashes because it is more to my needs, however is more vulnrable. addslashes vulnerability Vulnerabilities for both I'm not too clued up on injection techniques so was hoping one of you could be of assistance. function escape_data($data) { $data = str_replace('0x', '0\x', $data); $data = addslashes($data); // Chars not escaped by addlashes() $escape = array('%', '--'); $replace = array('\\%', '-\\-'); $data = str_replace($escape, $replace, $data); return $data; } How secure is that function? Link to comment https://forums.phpfreaks.com/topic/127963-is-this-vulnerable-to-sql-injections/ Share on other sites More sharing options...
waynew Posted October 11, 2008 Share Posted October 11, 2008 mysql_real_escape_string() is the safest. It is only vulnerable when you are changing between charsets. And seeing as people rarely change charsets etc, I doubt that this said "vulnerability" is going to affect you. mysql_real_escape_string is from MySQL's side, whereas addslashes is from PHP's side. mysql_real_escape_string takes into account the current charset being used. Link to comment https://forums.phpfreaks.com/topic/127963-is-this-vulnerable-to-sql-injections/#findComment-662622 Share on other sites More sharing options...
waynew Posted October 11, 2008 Share Posted October 11, 2008 Also, why does addslashes suit your situation more than mysql_real_escape_string() ? Link to comment https://forums.phpfreaks.com/topic/127963-is-this-vulnerable-to-sql-injections/#findComment-662624 Share on other sites More sharing options...
micmania1 Posted October 11, 2008 Author Share Posted October 11, 2008 mysql_real_escape_string escapes line brakes with too many backslashes. stripslashes() does not revert linebreaks back to the origional form. It appears '\r\n' Link to comment https://forums.phpfreaks.com/topic/127963-is-this-vulnerable-to-sql-injections/#findComment-662628 Share on other sites More sharing options...
waynew Posted October 11, 2008 Share Posted October 11, 2008 Then use nl2br() Link to comment https://forums.phpfreaks.com/topic/127963-is-this-vulnerable-to-sql-injections/#findComment-662631 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.