daydreamer Posted April 7, 2010 Share Posted April 7, 2010 Is not using mysql_real_escape_string before putting strings into a mysql query a security problem if you apply the following steps before: 1. take out all ' and ". 2. apply stripslashes(); 3. apply http://uk2.php.net/manual/en/function.addslashes.php 4. put the string between apostrophes: insert into table set column='user entered string' Thanks any opinions appreciated Quote Link to comment Share on other sites More sharing options...
premiso Posted April 7, 2010 Share Posted April 7, 2010 addslashes does not escape all the security flaws a string can add, which is why mysql_real_escape_string was created. So yes, you are potentially vulnerable for that reason. Quote Link to comment Share on other sites More sharing options...
Mchl Posted April 7, 2010 Share Posted April 7, 2010 It could possibly be bypassed using some encoding tricks. Anyway, why go through all this whem mysql_real_escape_string does it better? Quote Link to comment Share on other sites More sharing options...
daydreamer Posted April 8, 2010 Author Share Posted April 8, 2010 I agree and prefer to use mysql_real_escape_string, but a site I am working on has their own escape function, that also replaces ' and " so that if data is taken out, processed in some way and then put back into a table (if it contained a ') it will not have to be escaped again. I just wondered how secure it is. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.