Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
If I only escape the characters that mysql_real_escape_string recognizes, is  
this adequate protection against SQL injection attacks?

I have read a number of archived posts plus I've read some of the info at I am still not convinced as to what to do. The php folks claim that  
using mysql_real_escape_string is all that is needed. Then on the other  
hand, there is a myriad of opinions about that. I think I am inclined to  
side with the php folks.

One thing that bothers me about the mysql_real_escape_string is that it  
doesn't escape "--" which is a comment. One justification for this is that  
it would have to be delimited with an " ' " before it would have any affect.  
But I am not totally sure about that either.

Finally, what does the "real" mean in mysql_real_escape_string?


----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==---- The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

Re: mysql_real_escape_string

Michael G wrote:

Quoted text here. Click to load it

mysql_real_escape_string obeys the character set being used by the
system, which is always a better method.

Chris Shiflett* has a nice article about SQL injection and PHP over at:

[*] - Brief about Chris:

Justin Koivisto, ZCE -

Site Timeline