addslashes v mysql_real_escape_string in PHP
Archive - Originally posted on "The Horse's Mouth" - 2008-07-27 00:49:02 - Graham Ellis
One of the most popular pages on our website is the one that shows you how to upload an image and store it in a database. And the associated demonstration showing you how to view images via a PHP script from a MySQL database is very popular too. An image may contain and ASCII characters at all ... so you can't just take the image data that you uploaded and put it into the MySQL INSERT statement - special characters such as NULL, and the double quote character, will cause problems - at best like the illustration you see accompanying this posting, and at worst you would leave yourself vulnerable to an injection attack.
PHP provides a number of routines to allow you to add in extra characters to the uploaded image to protect the special characters from the database handler and ensure the data does truly get inserted into the database.
addslashes use to work very nicely before the days of different character encoding - but it can't cope with that encoding in more recent MySQL versions and should no longer be used ...
mysql_escape_string adds in appropriate slashes but it doesn't take care of the current encoding type if it's none-default; this function was deprecated at PHP 4.3.0 and replace by the one you should use ...
mysql_real_escape_string which adds in the appropriate protection taking into proper account the current encoding.
If you're using the mysqli functions rather than the mysql ones, you should use mysqli_real_escape_string which is just an alias to mysql_real_escape_string