string validation technique

[linewire]

I am wondering for sake of understanding and learning.

instead of using mysql_real_escape_string()

if I used, for example: str_replace($string,"-","&","\");

 

would this still have the amount of security?  Or does the mysql_real have something extra?

 

(I didn't include all of the escaped characters in my str_replace, just a small example)

[trq]

Since none of the chars in your example are of any particular threat to a query and your usage of str_replace seems invalid don't you think it would be wiser to use something that is actually made for the job?

[linewire]

Since none of the chars in your example are of any particular threat to a query and your usage of str_replace seems invalid don't you think it would be wiser to use something that is actually made for the job?

I stated that the chars in the example were not the specific chars escaped; But from what I understand the chars are  \x00, \n, \r, \,' , ", \x1a

so what I was wondering was if str_replace( $str, "\" , " \" "," ' ");

would also work

 

[mrMarcus]

in theory, yes .. you could rewrite a function, but why bother trying to reinvent the wheel?

 

and of course, using mysql_real_escape_string() in conjunction with other functions (built-in or self-fabricated), is ideal for further beefing of the system.

 

as thorpe stated, your usage of str_replace() is incorrect.  refer to manual (also posted by thorpe), for the proper usage.