[TYPO3-core] PHP requirement version for TYPO3 4.0
Kasper Skårhøj
kasper2006 at typo3.com
Tue Jan 24 17:06:35 CET 2006
Oh, yes. Lets just change it. I don't mind.
BUT: Why is it that no one can give a single example of an sql-
injection into mysql which will show the difference of the two
functions?
- kasper
On Jan 24, 2006, at 16:53 , Dmitry Dulepov wrote:
> Hi!
>
> Kasper Skårhøj wrote:
>> I understand that real_escape.... blabla () escapes more characters.
>> What I don't understand is why more characters are dangerous? For all
>> of TYPO3s live we have put binary and what else data into the
>> database without a single problem using addslashes() (for mysql of
>> course). Surely all bytes have been tested. Is it combination of
>> bytes or what? The fact is, it never failed and noone have given an
>> example of where addslashes() will fail. All they say is that
>> real_escape...() is better. Not good enough for me.
>
> Well, I posted queries that *may* produce security problem. As soon as
> security is in question, I prefer to fix it.
> mysql_real_escape_string is
> the function to use with mysql. This is *official* function.
> addslashes() is not, it is only used for historical reasons. Why do we
> need to use function, which is not right for this task and ignore
> right
> function? I do not see any reason...
>
> We use preg_replace to replace characters, we do not do "for" loops
> for
> this, right? It is a good thing (not bad!) to use right tools for
> right
> tasks. mysql_real_escape_string is a right tool in such case.
>
> Dmitry.
> _______________________________________________
> TYPO3-team-core mailing list
> TYPO3-team-core at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-team-core
More information about the TYPO3-team-core
mailing list