[TYPO3-core] PHP requirement version for TYPO3 4.0
Dmitry Dulepov
dima at spamcop.net
Tue Jan 24 16:53:02 CET 2006
Hi!
Kasper Skårhøj wrote:
> I understand that real_escape.... blabla () escapes more characters.
> What I don't understand is why more characters are dangerous? For all
> of TYPO3s live we have put binary and what else data into the
> database without a single problem using addslashes() (for mysql of
> course). Surely all bytes have been tested. Is it combination of
> bytes or what? The fact is, it never failed and noone have given an
> example of where addslashes() will fail. All they say is that
> real_escape...() is better. Not good enough for me.
Well, I posted queries that *may* produce security problem. As soon as
security is in question, I prefer to fix it. mysql_real_escape_string is
the function to use with mysql. This is *official* function.
addslashes() is not, it is only used for historical reasons. Why do we
need to use function, which is not right for this task and ignore right
function? I do not see any reason...
We use preg_replace to replace characters, we do not do "for" loops for
this, right? It is a good thing (not bad!) to use right tools for right
tasks. mysql_real_escape_string is a right tool in such case.
Dmitry.
More information about the TYPO3-team-core
mailing list