Which escaping function is better for MySQL: `mysql_real_escape_string` or `addslashes`?

MySQL Escaping Functions: mysql_real_escape_string vs. addslashes

The PHP functions mysql_real_escape_string() and addslashes() are both used to escape potentially problematic characters in strings intended for insertion into MySQL databases. However, there are subtle distinctions between the two functions that can impact their suitability for different use cases.

addslashes()

addslashes() replaces a predefined set of characters with backslashes to prevent them from being interpreted as special characters by the database. The default set of characters escaped by addslashes() includes the single quote ('), double quote ("), backslash (), and NULL byte.

mysql_real_escape_string()

mysql_real_escape_string() wraps a call to MySQL's internal mysql_real_escape_string() function, which escapes a broader range of characters than addslashes(). Specifically, mysql_real_escape_string() escapes the following characters:

• x00 (NULL byte)
• n (line feed)
• r (carriage return)
• , (comma)
• ' (single quote)
• " (double quote)
• x1a (EOF (end of file))

Key Differences

The primary difference between mysql_real_escape_string() and addslashes() lies in their handling of the escape characters mentioned above. mysql_real_escape_string() escapes certain characters that addslashes() does not, such as the NULL byte, line feed, and carriage return.

Furthermore, mysql_real_escape_string() performs the escaping operation based on the rules defined by MySQL, which can differ from the escaping rules applied by addslashes(). In recent versions of MySQL, for example, string escaping may involve doubling the quote characters rather than preceding them with backslashes. mysql_real_escape_string() would handle these changes automatically, while addslashes() would not.

When to Use Which Function

Generally, mysql_real_escape_string() is preferred over addslashes() for escaping strings intended for MySQL databases. This is because mysql_real_escape_string() uses MySQL-specific escaping rules, ensuring that strings are properly prepared for insertion into MySQL queries.

On the other hand, addslashes() can be suitable in situations where you need to escape strings for other purposes, such as general text manipulation or preparing strings for display. However, it is essential to be aware of the limitations of addslashes() and to test your code thoroughly when using it for escaping strings intended for MySQL databases.

The above is the detailed content of Which escaping function is better for MySQL: `mysql_real_escape_string` or `addslashes`?. For more information, please follow other related articles on the PHP Chinese website!