-2

Possible Duplicate:
Why shouldn’t I use mysql_* functions in PHP?

hye, Can i use a code in php like this:

$s_username = addslashes(strip_tags($_POST['username'])); 
$s_password = addslashes(strip_tags($_POST['password']));

before this is use this

$email = mysql_real_escape_string(strip_tags($_POST['email']));
$username = mysql_real_escape_string(strip_tags($_POST['username']));

...because many said that mysql_real_escape_string is dangerous to use?

Community
  • 1
  • 1
Rads Belson
  • 1
  • 2
  • 1
    Who said that...? Perhaps they meant that you shouldn't use the mysql_* stack anymore and work with mysqli_* or PDO instead. The function itself is not *dangerous*, it's just deprecated. – Quasdunk Feb 02 '13 at 14:59
  • Dangerous? In what way exactly? – ASertacAkkaya Feb 02 '13 at 15:00
  • use pdo or mysqli with prepared statements.. – bitWorking Feb 02 '13 at 15:00
  • I'd not say explicitly dangerous if you know what you're doing, but `mysql_*` functions are deprecated and not very good to use in new code. PDO and MySQLi have functions that make the somewhat hard to use `mysql_real_escape_string` obsolete. – Joachim Isaksson Feb 02 '13 at 15:01
  • someone from stackoverflow members, he said this "noooooo dont use mysql_* functions its dangerous please. read up on prepared statements and start..." is it true?.. i'm a newbie.. – Rads Belson Feb 02 '13 at 15:02
  • @RadsBelson: Yes, this is true. For new projects it is always recommended to use PDO or `mysqli_*` with prepared statements. – nkr Feb 02 '13 at 15:04
  • If you have to use the `mysql` extension, then `mysql_real_escape_string` is preferable to untainting variables yourself. It is currently thought to be safe (has been in production many years) though as others have said, it is unmaintained. Switch if you can! – halfer Feb 02 '13 at 15:07

1 Answers1

1

It's depreciated which means it's not being maintained, so if a security flaw is discovered, PHP developers aren't going to fix it. It's not dangerous though, it just escapes all bad characters that could be used for sql injection.

Use mysqli_* functions or PDO instead. Those actually are being maintained and are way more secure.

  • They are in fact dangerous -http://www.iodigitalsec.com/mysql_real_escape_string-wont-magically-solve-your-sql-injection-problems/ – Stephen Mar 02 '15 at 20:33