[SOLVED] What's better?

dustinnoe · March 26, 2007

addslashes() VS. mysql_real_escape_string()

mysql_real_escape_string() does more in the way of escaping special characters but runs about three times slower than addslashes()

I timed script execution and these are my results(in microseconds):

mysql_real_escape_string(): 7.3E-005

addslashes(): 2.4E-005

What's better?

Should I go for the speed of addslashes() or the completeness of mysql_real_escape_string()?

r-it · March 26, 2007

id say use mysql_real_escape_string as addslashes is still vulnerable to sql injection attacks

Orio · March 26, 2007

Yep, r-it is right. When it comes to security, don't compromise.

Orio.

dustinnoe · March 26, 2007

What is funny is that I had never even heard about mysql_real_escape_string() until browsing the manual. Every tutorial I have ever read has used addslashes().

As far as I can tell though addslashes() will do enough to stop SQL injection. Can you think of any examples where mysql_real_escape_string() is nessesary over addslashes()?

Orio · March 26, 2007

http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

Orio.

dustinnoe · March 26, 2007

http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

Orio.

I'm convinced!

Sign In

[SOLVED] What's better?

Recommended Posts

dustinnoe

Link to comment

Share on other sites

r-it

Link to comment

Share on other sites

Orio

Link to comment

Share on other sites

dustinnoe

Link to comment

Share on other sites

Orio

Link to comment

Share on other sites

dustinnoe

Link to comment

Share on other sites

Archived

Browse

Activity

Important Information