Addslashes and mysql_real_escape_string

Addslashes and collections. read addslashes and mysql_real_escape_string. This article describes how to use mysql_real_escape_string to sort and process user submitted data and use addslashes and mysql_escape_string.

This article describes the differences between using mysql_real_escape_string to sort user submitted data and using addslashes and mysql_escape_string functions. The escaped data can be directly inserted into the database.

The difference between addslashes and mysql_real_escape_string is well illustrated. although many PHP coders in China still rely on addslashes to prevent SQL injection (including me), I suggest you strengthen Chinese characters to prevent SQL injection. The problem with addslashes is that hackers can use 0xbf27 to replace single quotes, while addslashes only modifies 0xbf27 to 0xbf5c27 to be a valid multi-byte character, where 0xbf5c is still regarded as single quotes, therefore, addslashes cannot be intercepted.

Of course, addslashes is not useless either. it is used for processing single-byte strings and mysql_real_escape_string is used for multi-byte characters.

In addition, the example of get_magic_quotes_gpc in the php Manual is as follows:
If (! Get_magic_quotes_gpc ()){
$ Lastname = addslashes ($ _ POST ['lastname']);
} Else {
$ Lastname = $ _ POST ['lastname'];
}
If magic_quotes_gpc is enabled, check $ _ POST ['lastname.

Let's talk about the differences between the two functions mysql_real_escape_string and mysql_escape_string:
Mysql_real_escape_string can be used only when (PHP 4> = 4.3.0, PHP 5. Otherwise, only mysql_escape_string can be used. The difference between the two is:
Mysql_real_escape_string considers the current character set to be connected, while mysql_escape_string does not.

Summary:

Addslashes () is forcibly added;

Mysql_real_escape_string () will judge the character set, but there are requirements for the PHP version;

Mysql_escape_string does not consider the connected current character set.