Mysql_Real_Escape_String VS Addslashes

mysql_real_escape_string VS addslashes

What you quote is probably from the doc, but as far as I know it's not necessarily true.

addslashes adds slashes to characters that are commonly disturbing. mysql_real_escape_string escapes whatever MySQL needs to be escaped. This may be more or less characters than what addslashes takes care of.

Also, mysql_real_escape_string will not necessarily add slashes to escape. While I think it works if you do it that way, recent versions of MySQL escape quotes by putting two of them together instead of by putting a slash before it.

I believe you should always use your data provider's escape function instead of addslashes, because addslashes may either do too much or not enough work for the purpose you use it. On the other hand, mysql_real_escape_string knows what to do to prepare a string for embedding it in a query. Even if the specs change about how to escape stuff and suddenly it's not backslashes that you should use anymore, your code will still work because mysql_real_escape_string will be aware of it.

What is the difference between mysql_real_escape_string and addslashes?

string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] )

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

string addslashes ( string $str )

Returns a string with backslashes before characters that need to be quoted in database queries etc. These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte).

They affect different characters. mysql_real_escape_string is specific to MySQL. Addslashes is just a general function which may apply to other things as well as MySQL.

What does mysql_real_escape_string() do that addslashes() doesn't?

Addslashes is generally not good enough when dealing with multibyte encoded strings.

What's the difference between PHP's addslashes and mysql(i)_escape_string?

First of all: do not use mysql_escape_string, it is deprecated (for a reason)!

If you have to support a legacy application that connects to the database through the mysql extension (which has been deprecated), use mysql_real_escape_string instead. Otherwise switch immediately to mysqli, where prepared statements and bound parameters provide a more robust mechanism for escaping user input.

That said, the answer can be found by reading the description of mysql_real_escape_string and addslashes:

Difference #1

addslashes does not know anything about MySql connection encodings. If you pass it a string containing bytes representing an encoding other than the encoding used by the MySql connection, it will happily escape all bytes having the values of the characters ', ", \ and \x00. This may not be the same as all the characters ', ", \ and \x00 if you are using an encoding other than 8-bit encodings and UTF-8. The result will be that the string received by MySql will be corrupted.

To trigger this bug, try using iconv to convert your variable to UTF-16 and then escape it with addslashes. See what your database receives.

This is one reason why addslashes should not be used for escaping.

Difference #2

In contrast to addslashes, mysql_real_escape_string also escapes the characters \r, \n, and \x1a. It appears that these characters have to be escaped as well when talking to MySql, otherwise a malformed query may be the result

This is the other reason why addslashes should not be used for escaping.

Confusion about mysql_real_escape_string and strip_slashes

Thank you everyone for the answers. I will award the +50 out, but I wanted to tell my real solution here, all which people did help with...

I was performing mysql_real_escape_string on all of the data AS SOON as it posted (before any processing). So, a slash was added to escape the ' character that was submitted. This, we know is normal.

However, there was no reason that the backslash \ should show up in the DB entry, right? The escape was there to be sure the ' was entered.

Turns out, AFTER escaping, I would then save the variable to be reloaded to the page in the session, in case the user had an error that PHP found while validating all of the form fields. In this case, the user's input (formerly O'riley was now printed to their screen as O\'riley. Then, the user didn't catch this - so they would often just fix their error that PHP caught during validation (unrelated to the name field), and thus the O\'riley would land in the database because mysql_real_escape_string would escape the characters.

Lesson:
When processing a form, FIRST save data for form-refill use. SECOND validate form fields. THIRD escape the data for processing into the database.

Or better yet, use PDO and avoid this =).

Comments welcome. THANKS ALL!

Htmlentities vs addslashes vs mysqli_real_escape_string

There are different contexts for your data. The context of inserting data into the database needs to be escaped differently than the context of rendering html/xml or even an email message.

Escaping data going into a db should be deprecated in all new code in favor of prepared statements. Anyone who tells you otherwise is doing you a great disservice.

Escaping data going to the browser needs to be escaped in a number of different ways depending on the target. Sometimes htmlspecialchars is enough, sometimes you need to use htmlentities. Sometimes you need numeric entities. It is a topic you should do some research on to know all of the nuances.

The general rule I live by is validate (not filter, reject if incorrect) input & escape output (based on context).

Bug with mysql_real_escape_string and addslashes

Don't bother using addslashes at all, mysql_real_escape_string is more than capable of doing it on its own. So use:

$title = mysql_real_escape_string($_POST['title']);

And remove the stripslashes from your retrieval code. If the problem persists, you probably have one of the magic_quotes options on - if so, turn it off!

SQL Injection and addSlashes

PDO and MySQLi have built-in functions for creating prepared queries which let you use quotes and apostrophes without any problems.

But for your question: Replace addslashes() with mysql_real_escape_string().


addslashes can be passed by very easily and is not safe at all.

Read this article for more info about bypassing addslashes.


Related Topics

Mechanisms for Tracking Db Schema Changes

How to Write a Stored Procedure Using PHPmyadmin and How to Use It Through PHP

How to Get the Total Number of Rows of a Group by Query

Instantiate a Class with or Without Parentheses

2 PHP.Ini Files

How to Check If String Is a Valid Xml Element Name

Could Not Instantiate Mail Function. Why This Error Occurring

Differencebetween Find(), Findorfail(), First(), Firstorfail(), Get(), List(), Toarray()

Detect Main Colors in an Image with PHP

Getting ’ Instead of an Apostrophe(') in PHP

How to Convert String to Boolean PHP

Yosemite/El Capitan PHP-Gd + Mcrypt Installation

How to Embed Images in HTML Email

How to Increment Letters Like Numbers in PHP

Populate a Drop Down Box from a MySQL Table in PHP

Sort an Array by a Child Array's Value in PHP

PHP Simplexml Get Innerxml

No Application Encryption Key Has Been Specified


Leave a reply



Submit