From 7725bc8c6b06387b50559f45529bf6826264ab53 Mon Sep 17 00:00:00 2001
From: Aidan Lister <aidan@php.net>
Date: Wed, 11 Aug 2004 08:32:23 +0000
Subject: [PATCH] Noted the function is deprecated.

git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@166020 c90b9560-bf6c-de11-be94-00142212c4b1
---
 .../mysql/functions/mysql-escape-string.xml   | 25 ++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/reference/mysql/functions/mysql-escape-string.xml b/reference/mysql/functions/mysql-escape-string.xml
index 187e718219..c3032d7707 100644
--- a/reference/mysql/functions/mysql-escape-string.xml
+++ b/reference/mysql/functions/mysql-escape-string.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.9 $ -->
+<!-- $Revision: 1.10 $ -->
 <!-- splitted from ./en/functions/mysql.xml, last change in rev 1.62 -->
   <refentry id="function.mysql-escape-string">
    <refnamediv>
@@ -53,6 +53,15 @@ Escaped string: Zak\'s Laptop
       </screen>
      </example>
     </para>
+    <para>
+     <note>
+      <simpara>
+       This function has been deprecated since PHP 4.3.0.
+       Do not use this function. Use <function>mysql_real_escape_string</function>
+       instead.
+      </simpara>
+     </note>
+    </para>
     <para>
      See also
      <function>mysql_real_escape_string</function>,
@@ -83,3 +92,17 @@ vim600: syn=xml fen fdm=syntax fdl=2 si
 vim: et tw=78 syn=sgml
 vi: ts=1 sw=1
 -->
+
+- mysql_escape_string calls MySQL's library function of the same name, which prepends slashes to the following characters: NUL (\x00), \n, \r, \, ', " and \x1a.
+
+- AddSlashes escapes NUL, ', " and \. 
+
+$query = "SELECT * FROM adresses WHERE name='$name' AND private='N'";
+
+mysql_query($query);
+?>
+
+Without mysql_escape_string a user could set name to "' OR 1=1 OR ''='"
+
+effectively leading to the query:
+SELECT * FROM adresses WHERE name='' OR 1=1 OR ''='' AND private='N' 
\ No newline at end of file