2002-04-15 00:12:54 +00:00
<?xml version="1.0" encoding="iso-8859-1"?>
2004-08-11 08:32:23 +00:00
<!-- $Revision: 1.10 $ -->
2002-04-15 00:12:54 +00:00
<!-- splitted from ./en/functions/mysql.xml, last change in rev 1.62 -->
<refentry id= "function.mysql-escape-string" >
<refnamediv >
<refname > mysql_escape_string</refname>
<refpurpose >
Escapes a string for use in a mysql_query.
</refpurpose>
</refnamediv>
<refsect1 >
<title > Description</title>
<methodsynopsis >
<type > string</type> <methodname > mysql_escape_string</methodname>
<methodparam > <type > string</type> <parameter > unescaped_string</parameter> </methodparam>
</methodsynopsis>
<para >
This function will escape the <parameter > unescaped_string</parameter> ,
so that it is safe to place it in a <function > mysql_query</function> .
</para>
<note >
<simpara >
<function > mysql_escape_string</function> does not escape
<literal > %</literal> and <literal > _</literal> .
</simpara>
<simpara >
This function is identical to <function > mysql_real_escape_string</function> except that
2002-06-15 09:07:17 +00:00
<function > mysql_real_escape_string</function> takes a connection handler and escapes the
2002-04-15 00:12:54 +00:00
string according to the current character
set. <function > mysql_escape_string</function> does not take a
connection argument and does not respect the current charset setting.
</simpara>
</note>
2003-07-09 15:07:29 +00:00
<para >
<example >
<title > <function > mysql_escape_string</function> example</title>
<programlisting role= "php" >
2002-04-15 00:12:54 +00:00
< ![CDATA[
< ?php
2004-01-05 13:03:26 +00:00
$item = "Zak's Laptop";
$escaped_item = mysql_escape_string($item);
printf("Escaped string: %s\n", $escaped_item);
2002-04-15 00:12:54 +00:00
?>
]]>
2003-07-09 15:07:29 +00:00
</programlisting>
<para >
The above example would produce the following output:
</para>
2002-04-15 00:12:54 +00:00
<screen >
< ![CDATA[
Escaped string: Zak\'s Laptop
]]>
</screen>
2003-07-09 15:07:29 +00:00
</example>
</para>
2004-08-11 08:32:23 +00:00
<para >
<note >
<simpara >
This function has been deprecated since PHP 4.3.0.
Do not use this function. Use <function > mysql_real_escape_string</function>
instead.
</simpara>
</note>
</para>
2002-04-15 00:12:54 +00:00
<para >
2003-07-09 15:07:29 +00:00
See also
2002-04-18 18:47:41 +00:00
<function > mysql_real_escape_string</function> ,
2003-07-09 15:07:29 +00:00
<function > addslashes</function> and the
2002-04-18 18:47:41 +00:00
<link linkend= "ini.magic-quotes-gpc" > magic_quotes_gpc</link>
directive.
2002-04-15 00:12:54 +00:00
</para>
</refsect1>
</refentry>
<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:t
indent-tabs-mode:nil
sgml-parent-document:nil
sgml-default-dtd-file:"../../../../manual.ced"
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
vim600: syn=xml fen fdm=syntax fdl=2 si
vim: et tw=78 syn=sgml
vi: ts=1 sw=1
-->
2004-08-11 08:32:23 +00:00
- mysql_escape_string calls MySQL's library function of the same name, which prepends slashes to the following characters: NUL (\x00), \n, \r, \, ', " and \x1a.
- AddSlashes escapes NUL, ', " and \.
$query = "SELECT * FROM adresses WHERE name='$name' AND private='N'";
mysql_query($query);
?>
Without mysql_escape_string a user could set name to "' OR 1=1 OR ''='"
effectively leading to the query:
SELECT * FROM adresses WHERE name='' OR 1=1 OR ''='' AND private='N'
