mailing list archives
From: "Steve Hillier" <securityfocus () mastermindtoys com>
Date: Tue, 21 Jun 2005 13:49:55 -0400
I usually use the MySQL Improved functions (mysqli*) so I was just lazy
and didn't look up all the corresponding regular mysql functions. It is
better to use mysql_real_escape_string (or mysqli_real_escape_string in
I'm not sure if this is the thread where we should debate this, but I
think there are enough positives and negatives with stored procedures
that using such a tool would require serious though.
Just my $0.02.
From: Christoph 'knurd' Jeschke [mailto:christoph.jeschke () gmail com]
Sent: Monday, June 20, 2005 8:06 p
To: security-basics () securityfocus com
Subject: Re: magic_quotes
Steve Hillier schrieb:
You should be using mysql_escape_string() to sanitise your input
strings if you're going to be using them as-is inside SQL
Better use Stored Procedures (MySQL5) and
mysql_real_escape_string instead of mysql_escape_string.