0

Possible Duplicate:
What does mysql_real_escape_string() do that addslashes() doesn't?

If not, I have used mysql_escape_string, and it adds characters to the words like \r\n, and I don't want that..

Community
  • 1
  • 1
Seth
  • 2,043
  • 5
  • 20
  • 23
  • 3
    `mysql_real_escape_string` won't add anything to the final data. If that happens for you, start a separate question about that, there is probably something else going on – Pekka Jan 09 '11 at 00:16
  • 2
    If you're having problems with mysql_real_escape_string() adding stuff, make sure Magic Quotes is turned OFF. – keithjgrant Jan 09 '11 at 00:21
  • It's in your php.ini file: http://php.net/manual/en/security.magicquotes.php – keithjgrant Jan 09 '11 at 01:11

4 Answers4

5

No, it's not safe. Use mysql_real_escape_string() instead. It shouldn't add anything beyond what it takes to escape the string.

http://php.net/mysql-real-escape-string

This applies to other databases too: use the extension-specific escape function.

Jonah
  • 9,991
  • 5
  • 45
  • 79
  • @MichaelTontchev It makes sure that everything is escaped for a SQL string in the proper way, not just quotes. There's a good explanation here: http://stackoverflow.com/questions/3473047 – Jonah May 19 '15 at 19:27
3

No, addslashes is not good enough. mysql_escape_string is not necessarily good enough. Use mysql_real_escape_string.

Whether you like what it adds or not doesn't matter, it only escapes characters to make sure the query syntax is valid. If this gets in the way of what you're doing, you're doing something wrong.

deceze
  • 510,633
  • 85
  • 743
  • 889
3

The best way to prevent SQL injection is to use prepared statement with either mysqli or PDO.

Arkh
  • 8,416
  • 40
  • 45
2

You also have the option of using the mysqli functions and Prepared Statements. This largely avoids the problem in the first place because all quotes are considered part of the data.

dkretz
  • 37,399
  • 13
  • 80
  • 138