From 5e999fe7a0c695d27c11817b724a4a2432afec35 Mon Sep 17 00:00:00 2001 From: Friedhelm Betz Date: Thu, 19 Aug 2004 17:00:07 +0000 Subject: [PATCH] cut refpurpose function tags, typos not only inserting is vulnerable for sql injection see alsos git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@166848 c90b9560-bf6c-de11-be94-00142212c4b1 --- .../functions/mysql-real-escape-string.xml | 37 +++++++++++-------- 1 file changed, 22 insertions(+), 15 deletions(-) diff --git a/reference/mysql/functions/mysql-real-escape-string.xml b/reference/mysql/functions/mysql-real-escape-string.xml index 30ae9fe87a..bacb4ff3c7 100644 --- a/reference/mysql/functions/mysql-real-escape-string.xml +++ b/reference/mysql/functions/mysql-real-escape-string.xml @@ -1,12 +1,11 @@ - + mysql_real_escape_string - Escapes special characters in a string for use in a SQL statement, - taking into account the current charset of the connection. + Escapes special characters in a string for use in a SQL statement @@ -32,13 +31,13 @@ This function will escape special characters in the unescaped_string, taking into account the current - charset of the connection so that it is safe to place it in a + character set of the connection so that it is safe to place it in a mysql_query. If you wish to insert binary data you must use this function. - mysql_real_escape_string calls MySQL's library function (mysql_escape_string), - which prepends slashes to the following characters: + mysql_real_escape_string calls MySQL's library function + mysql_escape_string, which prepends backslashes to the following characters: NULL, \x00, \n, \r, \, ', " and \x1a. @@ -63,11 +62,15 @@ $query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'", - You must always (with few exceptions) use this function - to make your data safe before inserting. If you have + You must always (with few exceptions) use this function to make your data + safe before sending a query to MySQL. If you have magic_quotes_gpc enabled, - you must first stripslashes your data. If you don't use - this, you leave yourself open to SQL Injection Attacks. Here's an example: + and you are working with data from user input, you must first + stripslashes your data. If your data are form other + sources and you have + magic_quotes_runtime enabled, you also have to + stripslashes your data. If you don't do so, you leave + yourself open to SQL Injection Attacks. Here's an example: @@ -105,7 +108,7 @@ SELECT * FROM users WHERE name='aidan' AND password='' OR 1=1 mysql_real_escape_string does not escape - % and _. These are wildcards in MySQL if - combined with LIKE. + % and _. These are wildcards in + MySQL if combined with LIKE, GRANT, + or REVOKE. See also mysql_client_encoding, - addslashes, and the - magic_quotes_gpc + addslashes, + stripslashes, + the magic_quotes_gpc, + and the + magic_quotes_runtime directive.