addslashes() vs mysql_escape_string()

<?paul

Saturday, September 22. 2007

Posted by Paul Reinheimer

Comments (4)
Trackbacks (0)

addslashes() vs mysql_escape_string()

The topic of the difference between addslashes() and mysql_escape_string() has come up a few times as of late, and I found myself actually having to look up the answer. I knew (as I hope you do) that the mysql_ version was better (mysql_real_escape_string() being better still), but I couldn't remember exactly why. In my research I found a bunch of miscellaneous blog posts that simply agreed with my understanding that mysql_escape_string() > addslashes(). Finally I found a post at NyPHP (of which I am a member) which described it in a bit more detail, listing some of the meta-characters that MySQL understands, but it didn't go into detail on exactly which characters were escaped. A chart, indicating my findings comparing addslashes to mysql_escape_string (all three sources of information are shown). I will consider the source and my test definitive (results after the jump).
    addslashes() mysql_escape_string()
Ascii Name testing testing source
0 Null      
8 Backspace      
9 Tab      
10 \n      
13 \r      
26 Substitute      
34 "      
39 '      
92 \      

So in conclusion: Use The Source! and you should use mysql_escape_string() over addslashes() to escape three additional characters, newline, carriage return, and substitute character.
Notes:
My test consisted of iterating through the ascii character chart, and comparing chr($i) to mysql_escape_string(chr($i)) then reporting if they didn't match (as would happen when something is escaped. Reading the source was looking at escape_string_for_mysql() in charset.c (part of mysql 5.0.45), and mysql_sub_escape_string() in libmysql.c shipped with the PHP 4 branch. The NyPHP document indicates that mysql_escape_string() and mysql_real_escape_string() all escape those same characters, it may be true that the real version escapes more, I intend to test more in the future.

Note^2
You shouldn't actually be using mysql_escape_string() you should be using mysql_real_escape_string() which takes the character set into account.

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

Character encoding matters:

http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
#1 Chris Shiflett (Homepage) on 2007-09-23 00:52 (Reply)
mysql_real_escape_string() is what every body should use i don't see reason why people should use others
#2 blackman (Homepage) on 2007-11-21 00:17 (Reply)
i get an error when i use the mysql_escape_string function in my perl script to import data from an xml data file into a mysql database.
i use this function to get rid of the error i get whenever i come across an apostrophe in the xml data file.

Undefined subroutine &main::mysql_escape_string

please help.
#2.1 sunz on 2007-12-03 15:56 (Reply)
I've been looking for this - thanks!
#3 Kamil (Homepage) on 2008-03-01 18:24 (Reply)

Add Comment
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

 
   
 

Frontpage - Top level

Who Am I?

Hi, I'm Paul Reinheimer a developer working with PHP. I wrote a book titled Professional Web APIs with PHP back in 2006, and am currently a contractor, working primarily in Biomedical Informatics.

I'm working on a project to help developers called WonderProxy which has proxies all over the world. Working on GeoIP development? Now you can finally test properly! My hobbies are cycling, photography, and travel. I frequently write about PHP or other related technologies. Feel free to subscribe to just the PHP feed if you're only interested in such topics.

Paul Reinheimer



Quicksearch

Books

Paul Reinheimer's book recommendations, reviews, favorite quotes, book clubs, book trivia, book lists

Twitter

Twitter Updates

    follow me on Twitter

    Calendar

    Back September '10
    Mon Tue Wed Thu Fri Sat Sun
        1 2 3 4 5
    6 7 8 9 10 11 12
    13 14 15 16 17 18 19
    20 21 22 23 24 25 26
    27 28 29 30      

    Categories



    All categories

    Syndicate This Blog

    Blog Administration

    Open login screen