Languages are like tools: buying a the best set you can afford is the best possible start to a project. PHP doesn't cause SQL injection flaws, but it doesn't make it any easier. How many escape functions are there ? Shall we count them ?
----------
mysql_escape_string() - Escapes a string for use in a mysql_query
mysql_real_escape_string() - Escapes special characters in a string for use in a SQL statement
mysqli_real_escape_string() - Escapes special characters in a string for use in a SQL statement, taking into account the current charset of the connection
addslashes() - Quote string with slashes
stripslashes() - Un-quotes a quoted string
The magic_quotes_gpc directive
The magic_quotes_runtime directive
stripcslashes() - Un-quote string quoted with addcslashes
stripslashes() - Un-quotes a quoted string
addcslashes() - Quote string with slashes in a C style
htmlspecialchars() - Convert special characters to HTML entities
quotemeta() - Quote meta characters
get_magic_quotes_gpc() - Gets the current configuration setting of magic quotes gpc
----------------
I especially love the contrast between "mysql_escape_string" and "mysql_real_escape_string," since the first one is fake in a magical, side-effect-laden way.
It basically argues that in PHP there's often an easy, insecure way to do something and a verbose, secure way to do it. With regards to SQL injection, Java is the same way; prepared statements are much more verbose and annoying than string concatenation.
They do exist, but I would never use any of them. I'd use a prepared statement. PHP has come a long way since stripslashes. It just isn't flavor of the month.
----------
mysql_escape_string() - Escapes a string for use in a mysql_query
mysql_real_escape_string() - Escapes special characters in a string for use in a SQL statement
mysqli_real_escape_string() - Escapes special characters in a string for use in a SQL statement, taking into account the current charset of the connection
addslashes() - Quote string with slashes
stripslashes() - Un-quotes a quoted string
The magic_quotes_gpc directive
The magic_quotes_runtime directive
stripcslashes() - Un-quote string quoted with addcslashes
stripslashes() - Un-quotes a quoted string
addcslashes() - Quote string with slashes in a C style
htmlspecialchars() - Convert special characters to HTML entities
quotemeta() - Quote meta characters
get_magic_quotes_gpc() - Gets the current configuration setting of magic quotes gpc
----------------
I especially love the contrast between "mysql_escape_string" and "mysql_real_escape_string," since the first one is fake in a magical, side-effect-laden way.