mysql-real-escape-string

I've been doing some reading on securing PHP applications, and it seems to me that mysqli_real_escape_string is the correct function to use when inserting data into MySQL tables because addslashes can cause some weird things to happen for a smart attacker. Right? However, there is one thing that is confusing me. I seem to remember being advised addslashes is better than htmlentities when echoing user-entered data back to users to protect their data, but it seems like addslashes is the one with the vulnerability. Is this true, or am I remembering incorrectly? There are different contexts for

I am very used to using MySQL and mysql_real_escape_string(), but I have been given a new PHP project that uses ODBC. What is the correct way to escape user input in a SQL string? Is addslashes() sufficient? I would like to get this right now rather than later! Instead of string escaping the PHP ODBC driver uses prepared statements. Use odbc_prepare to prepare an SQL statement and odbc_execute to pass in the parameters and execute the statements. (This is similar to what you can do with PDO). 来源： https://stackoverflow.com/questions/5713837/correct-way-to-escape-input-data-before-passing-to

Possible Duplicate: mysql_real_escape_string VS addslashes If they don't do exactly the same, what's the difference? The delimiter for values inside a MySQL query is the ' isn't it? Or maybe the " but that's also escaped with addslashes. In other database engines I understand (and definitely inside a db wrapper like PDO), but why are so many people so adament on using mysql(i)_escape_string instead of addslashes? Jon First of all: do not use mysql_escape_string , it is deprecated (for a reason)! If you have to support a legacy application that connects to the database through the mysql

Is there an easier way of safely extracting submitted variables other than the following? if(isset($_REQUEST['kkld'])) $kkld=mysql_real_escape_string($_REQUEST['kkld']); if(isset($_REQUEST['info'])) $info=mysql_real_escape_string($_REQUEST['info']); if(isset($_REQUEST['freq'])) $freq=mysql_real_escape_string($_REQUEST['freq']); (And: would you use isset() in this context?) To escape all variables in one go: $escapedGet = array_map('mysql_real_escape_string', $_GET); To extract all variables into the current namespace (i.e. $foo = $_GET['foo'] ): extract($escapedGet); Please do not do this last

Could some tell me if there is a function which works the same as PHP's mysql_real_escape_string() for Perl from the DBI module? You should use placeholders and bind values . Don't. Escape. SQL. Don't. Quote. SQL. Use SQL placeholders/parameters ( ? ). The structure of the SQL statement and the data values represented by the placeholders are sent to the database completely separately, so (barring a bug in the database engine or the DBD module) there is absolutely no way that the data values can be interpreted as SQL commands. my $name = "Robert'); DROP TABLE Students; --"; my $sth = $dbh-

So in this program I'm writing, I actually grab a SQL query from the user using a form. I then go on to run that query on my database. I know not to "trust" user input, so I want to do sanitization on the input. I'm trying to use mysql_real_escape_string but have been unsuccessful in getting it to work. Here's what I'm trying, given the input: select * from Actor; //"query" is the input string: $clean_string = mysql_real_escape_string($query, $db_connection); $rs = mysql_query($clean_string, $db_connection); if (!$rs) { echo "Invalid input!"; } This is ALWAYS giving me the "Invalid input!"