cut refpurpose

function tags, typos
not only inserting is vulnerable for sql injection
see alsos


git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@166848 c90b9560-bf6c-de11-be94-00142212c4b1

reference/mysql/functions/mysql-real-escape-string.xml

@@ -1,12 +1,11 @@
 <?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.13 $ -->
+<!-- $Revision: 1.14 $ -->
 <!-- splitted from ./en/functions/mysql.xml, last change in rev 1.100 -->
   <refentry id="function.mysql-real-escape-string">
    <refnamediv>
     <refname>mysql_real_escape_string</refname>
     <refpurpose>
-     Escapes special characters in a string for use in a SQL statement,
-     taking into account the current charset of the connection.
+     Escapes special characters in a string for use in a SQL statement
     </refpurpose>
    </refnamediv>
    <refsect1>
@@ -32,13 +31,13 @@
     <para>
      This function will escape special characters in the
      <parameter>unescaped_string</parameter>, taking into account the current
-     charset of the connection so that it is safe to place it in a
+     character set of the connection so that it is safe to place it in a
      <function>mysql_query</function>. If you wish to insert binary data
      you must use this function.
     </para>
     <para>
-     mysql_real_escape_string calls MySQL's library function (mysql_escape_string),
-     which prepends slashes to the following characters:
+     <function>mysql_real_escape_string</function> calls MySQL's library function
+     mysql_escape_string, which prepends backslashes to the following characters:
      <literal>NULL</literal>, <literal>\x00</literal>, <literal>\n</literal>,
      <literal>\r</literal>, <literal>\</literal>, <literal>'</literal>,
      <literal>"</literal> and <literal>\x1a</literal>.
@@ -63,11 +62,15 @@ $query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
      </example>
     </para>
     <para>
-     You must always (with few exceptions) use this function
-     to make your data safe before inserting. If you have
+     You must always (with few exceptions) use this function to make your data
+     safe before sending a query to MySQL. If you have
      <link linkend="ini.magic-quotes-gpc">magic_quotes_gpc</link> enabled,
-     you must first <function>stripslashes</function> your data. If you don't use
-     this, you leave yourself open to SQL Injection Attacks. Here's an example:
+     and you are working with data from user input, you must first
+     <function>stripslashes</function> your data. If your data are form other
+     sources and you have <link linkend="ini.magic-quotes-runtime">
+     magic_quotes_runtime</link> enabled, you also have to
+     <function>stripslashes</function> your data. If you don't do so, you leave
+     yourself open to SQL Injection Attacks. Here's an example:
     </para>
     <para>
      <example>
@@ -105,7 +108,7 @@ SELECT * FROM users WHERE name='aidan' AND password='' OR 1=1
 <![CDATA[
 <?php
 /**
- * Quote a variable to make it safe for insertion
+ * Quote a variable to make it safe
  */
 function quote_smart($value)
 {
@@ -143,15 +146,19 @@ mysql_query($query);
     <note>
      <simpara>
       <function>mysql_real_escape_string</function> does not escape
-      <literal>%</literal> and <literal>_</literal>. These are wildcards in MySQL if
-      combined with <literal>LIKE</literal>.
+      <literal>%</literal> and <literal>_</literal>. These are wildcards in
+      MySQL if combined with <literal>LIKE</literal>, <literal>GRANT</literal>,
+      or <literal>REVOKE</literal>.
      </simpara>
     </note>
     <para>
      See also
      <function>mysql_client_encoding</function>,
-     <function>addslashes</function>, and the 
-     <link linkend="ini.magic-quotes-gpc">magic_quotes_gpc</link>
+     <function>addslashes</function>,
+     <function>stripslashes</function>,
+     the <link linkend="ini.magic-quotes-gpc">magic_quotes_gpc</link>,
+     and the
+     <link linkend="ini.magic-quotes-runtime">magic_quotes_runtime</link>
      directive.
     </para>
    </refsect1>