mysql - What do I need to escape when sending a query?

mysql - What do I need to escape when sending a query?

When you execute a SQL query, you have to clean your strings or users can execute malicious SQL on your website. I usually just have a function escape_string(blah), which: Replaces escapes(\) with…


What is the difference between mysql_real_escape_string and addslashes?

mysql_real_escape_string and addslashes are both used to escape data before the database query, so what's the difference?(This question is not about parametrized queries/PDO/mysqli)…


Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?

Earlier today a question was asked regarding input validation strategies in web apps. The top answer, at time of writing, suggests in PHP just using htmlspecialchars and mysql_real_escape_string. My…


php - Possible to use multiple/nested MySQLi statements?

Is it possible to have a MySQLi prepared statement within the fetch() call of a previous statement? If not, what's the best way around it? Example code: if($stmt=$link->prepare("SELECT item FROM da…



Ensuring MySQL connection works in PHP function

I have code with the following form:<?php function doSomething{//Do stuff with MySQL $con->tralalala();}$con=connectToDatabase;//This would actually be a line or two. doSomething(); ?> This…


php - What does mysql_real_escape_string() do that addslashes() doesn't?

Why do we need a DB-specific functions like mysql_real_escape_string()? What can it do that addslashes() doesn't? Ignoring for the moment the superior alternative of parameterized queries, is a webap…


php - Examples of SQL Injections through addslashes()?

In PHP, I know that mysql_real_escape is much safer than using addslashes. However, I could not find an example of a situation where addslashes would let an SQL Injection happen. Can anyone give some…


How to escape single quotes in MySQL

How do I insert a value in MySQL that consist of single or double quotes. i.e This is Ashok's Pen. The single quote will create problems. There might be other escape characters. How do you insert th…


mysql - What characters have to be escaped to prevent(My)SQL injections?

I'm using MySQL API's function mysql_real_escape_string() Based on the documentation, it escapes the following characters: \0 \n \r \ ' " \Z Now, I looked into OWASP.org's ESAPI security library and i…


php - Alternative to mysql_real_escape_string without connecting to DB

I'd like to have a function behaving as mysql_real_escape_string without connecting to database as at times I need to do dry testing without DB connection. mysql_escape_string is deprecated and theref…




php mysql_real_escape_string string sql injection escape working not mysql mysqli