daydreamer Posted April 7, 2010 Share Posted April 7, 2010 Is not using mysql_real_escape_string before putting strings into a mysql query a security problem if you apply the following steps before: 1. take out all ' and ". 2. apply stripslashes(); 3. apply http://uk2.php.net/manual/en/function.addslashes.php 4. put the string between apostrophes: insert into table set column='user entered string' Thanks any opinions appreciated Link to comment https://forums.phpfreaks.com/topic/197924-not-using-mysql_real_escape_string-problem/ Share on other sites More sharing options...
premiso Posted April 7, 2010 Share Posted April 7, 2010 addslashes does not escape all the security flaws a string can add, which is why mysql_real_escape_string was created. So yes, you are potentially vulnerable for that reason. Link to comment https://forums.phpfreaks.com/topic/197924-not-using-mysql_real_escape_string-problem/#findComment-1038604 Share on other sites More sharing options...
Mchl Posted April 7, 2010 Share Posted April 7, 2010 It could possibly be bypassed using some encoding tricks. Anyway, why go through all this whem mysql_real_escape_string does it better? Link to comment https://forums.phpfreaks.com/topic/197924-not-using-mysql_real_escape_string-problem/#findComment-1038607 Share on other sites More sharing options...
daydreamer Posted April 8, 2010 Author Share Posted April 8, 2010 I agree and prefer to use mysql_real_escape_string, but a site I am working on has their own escape function, that also replaces ' and " so that if data is taken out, processed in some way and then put back into a table (if it contained a ') it will not have to be escaped again. I just wondered how secure it is. Link to comment https://forums.phpfreaks.com/topic/197924-not-using-mysql_real_escape_string-problem/#findComment-1038872 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.