Php | PHP Reference Book Blog

mysql_real_escape_string() vs addslashes()

(pgs. 124-125)

When describing the function mysql_real_escape_string(), the following note was included:

Note: Performs the same functionality as addslashes().

While they are practically identical in their behavior, this is an oversimplification of the extra strength of mysql_real_escape_string(). At this point, I will pass on the following blog post that provides some extra insight into the comparison of the two variables:addslashes() Versus mysql_real_escape_string() by Chris Shiflett. I was not previously aware of this difference and security loophole.

define() referenced in Global Variables

(pg. 33)

The opening sentence for the Global Variables chapter reads as follows:

While some global variables can be created through the use of
define(), some are reserved because of a special function, giving access to
different types of data.

Technically, the define() function creates a constant that is available globally, as is described properly as part of the function on page 11. Therefore, the sentence would be better phrased as follows:

While some constants can be made available globally through the use of
define(), some are reserved because of a special function, giving access to
different types of data.

$_SERVER[‘QUERY_STRING’] in Global Variables

(pg. 33)

The description in the book reads:

$_SERVER[‘QUERY_STRING’] – The current scripts path

This description is the same as the entry above, because I made a bad edit (copy/paste for formatting). The correct description would be as follows:

$_SERVER[‘QUERY_STRING’] – The current query string (without the question mark)

The example is correct and accurate, and luckily this is painfully obvious thanks to the name of the key QUERY_STRING in the $_SERVER array.