The difference between PHP function mysql_real_escape_string and addslashes

Addslashes and mysql_real_escape_string are all filtering to make the data safe to insert into the database, so what is the difference between these two functions?

First, let's start with the PHP manual:

The addslashes escaped characters in the manual are single quotation marks ('), double quotation marks ("), backslash (\) and nul (NULL character).

The mysql_real_escape_string escaped character was not mentioned, just said a sentence:

Note: mysql_real_escape_string () does not escape% and _.

Why does the PHP manual not say it? Because this is actually a MySQL C API, so we need to check out the MySQL manual, which is said:

The encoded characters are nul (ASCII 0), ' \ n ', ' \ R ', ' \ ', ' ', ' ', and control-z (see section 9.1, "literal value"). (Strictly speaking, MySQL only needs backslashes and quote characters to refer to the strings in the escaped query.) The function can reference other characters, making them more readable in the log file.

The above-mentioned MySQL handbook is always confusing.

In order to further explore the difference between the two functions, or to see the source of PHP.

This is the PHP addslashes function:

Php_function (addslashes)   {        zval **str;       if (Zend_num_args ()! = 1 | | zend_get_parameters_ex (1, &str) = = FAILURE) {            wrong_param_count;        }        CONVERT_TO_STRING_EX (str);       if (z_strlen_pp (str) = = 0) {            return_empty_string ();        }        Return_string (Php_addslashes (z_strval_pp (str),                                     z_strlen_pp (str),                                     &z_strlen_p (Return_value), 0                                     tsrmls_cc), 0);   }

Obviously, it calls the php_addslashes, and we continue to look at this function,

Phpapi Char *php_addslashes (char *str, int length, int *new_length, int should_free tsrmls_dc)    {        return Php_add SLASHES_EX (str, length, new_length, Should_free, 0 tsrmls_cc);    }

The result is to call PHP_ADDSLASHES_EX, and we are as close to the truth as we peel the onion.

Phpapi Char *php_addslashes_ex (char *str, int length, int *new_length, int should_free, int ignore_sybase tsrmls_dc) {        /* Maximum string length, worst case situation */char *new_str;        Char *source, *target;        Char *end;                        int local_new_length;         if (!new_length) {new_length = &local_new_length;            } if (!str) {*new_length = 0;         return str;         } NEW_STR = (char *) safe_emalloc (2, Length length: (Length = strlen (str))), 1);         Source = str;         End = source + length;                target = NEW_STR; if (!ignore_sybase && PG (magic_quotes_sybase)) {while (source < end) {switch (*sour                         CE) {case ': *target++ = ' \ \ ';                        *target++ = ' 0 ';                    Break              Case ' \ ': *target++ = ' \ ';           *target++ = ' \ ';                    Break                        Default: *target++ = *source;                 Break             } source++;                         }} else {while (source < end) {switch (*source) {case '} ':                         *target++ = ' \ \ ';                        *target++ = ' 0 ';                    Break                        Case ' \ ': Case ' \ ': case ' \ \ ': *target++ = ' \ \ '; /* Break is missing *intentionally* */default: *target++ = *sou                        Rce                 Break             } source++;         }} *target = 0;        *new_length = Target-new_str;         if (should_free) {str_free (STR); } NEW_STR = (char *) Erealloc (new_STR, *new_length + 1);    return new_str; }

The above function is very clear about which characters to escape, so let's take a look at mysql_real_escape_string

This is not in the string.c, it is in the MySQL extension.

Php_function (mysql_real_escape_string)    {         Zval *mysql_link = NULL;        char *str;        char *new_str;        int id =-1, Str_len, New_str_len;         Php_mysql_conn *mysql;        if (Zend_parse_parameters (Zend_num_args () tsrmls_cc, "S|r", &str, &str_len, &mysql_link) = = FAILURE) {            return;         }        if (Zend_num_args () = = 1) {             id = php_mysql_get_default_link (internal_function_param_passthru);             Check_link (ID);         }         Zend_fetch_resource2 (MySQL, Php_mysql_conn *, &mysql_link, id, "Mysql-link", Le_link, Le_plink);         New_str = Safe_emalloc (Str_len, 2, 1);         New_str_len = mysql_real_escape_string (&mysql->conn, New_str, str, str_len);         New_str = Erealloc (new_str, New_str_len + 1);         Return_stringl (new_str, New_str_len, 0);    }

This function does not peel the onion as above, but instead calls the MySQL C's api,mysql_real_escape_string () directly.

It is important to note that this function , before invoking the API Mysql_real_escape_string, first determines whether the database is connected.

Check_link (ID);   That's the word.

So, this means that mysql_real_escape_string must be connected to the database before it can be used. To confirm this, let's take a simple experiment:

<?phpecho mysql_real_escape_string ("FDSAFDA ' Fdsa");

Results:

Warning:mysql_real_escape_string () [function.mysql-real-escape-string]: Access denied for user ' ODBC ' @ ' localhost ' ( Using Password:no) in PHPDocument1 on line 2  warning:mysql_real_escape_string () [ Function.mysql-real-escape-string]: A link to the server could not being established in PHPDocument1 on line 2

As expected, there is no link on the database.

Well, the summary will be over first.

Finally understand why so many open-source programs such as Discuz with addslashes instead of mysql_real_escape_string .

So, later also use addslashes Good, temporarily can forget mysql_real_escape_string !

The difference between PHP function mysql_real_escape_string and addslashes