[SOLVED] different between the mysql_real_escape_string() and addslashes()

[chaiwei]

Hi all,

 

I am a newbie in php.

I not really understand about the mysql_real_escape_string() and addslashes().

As I know so far mysql_real_escape_string() is better.(somebody told me)

But I don't know why?

 

Can Some One explain to me PLS??

Thanks in advance.

Have a Nice day!

 

regards,

chaiwei

[Mchl]

Because mysql_real_escape_string() is specifically crafted for use with mysql database, and it also takes into consideration the current character set of the connection (that's why there must be a connection handle available, before you can use mysql_real_escape_string()

 

Read more

[chaiwei]

Hi,

 

Thanks for the responding.

But if I didn't include the connection in the mysql_real_escape_string(), It is still work right?

(connection include in top)-->$conn=mysql_connect($host,$usr,$pw);

I just use $value=mysql_real_escape_string($value);

I have tried,it works.

 

But mysql_real_escape_string($value,$conn) require two input arguement right? value and the mysql connection.

 

Another issue, I saw in php.net. If:

 

$value=abc's;

$value1=abc\'s;

 

$value=mysql_real_escape_string($value,$conn);

$value1=mysql_real_escape_string($value1,$conn);

 

echo $value;  (value= abc\'s)

echo $value1; (value= abc\\'s)

 

So the $value1 is wrong right?

which i saw in forum they used get_magic_quotes_gpc() to validate;

but my question is if it is not get, post, or cookie;

then the function is not use at all right?

 

Please advise.Thanks for any help given.

 

regards,

chaiwei

 

 

 

 

 

[Mchl]

mysql_real_escape_string() will work with only one parameter. The second one, is needed, if for example you work with two database connections at once. Then you have to specify, which connection the function should work with.

 

And yes, this function is in general used to escape data entered by users. No need to escape data, that you yourself (as a programmer) escaped before.