Arrgh - Didn't read my diffs. Removed notes from bottom of file.

git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@166022 c90b9560-bf6c-de11-be94-00142212c4b1
This commit is contained in:
Aidan Lister 2004-08-11 08:40:28 +00:00
parent 7725bc8c6b
commit f18c1e52b4

View file

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="iso-8859-1"?>
<!-- $Revision: 1.10 $ -->
<!-- $Revision: 1.11 $ -->
<!-- splitted from ./en/functions/mysql.xml, last change in rev 1.62 -->
<refentry id="function.mysql-escape-string">
<refnamediv>
@ -91,18 +91,4 @@ End:
vim600: syn=xml fen fdm=syntax fdl=2 si
vim: et tw=78 syn=sgml
vi: ts=1 sw=1
-->
- mysql_escape_string calls MySQL's library function of the same name, which prepends slashes to the following characters: NUL (\x00), \n, \r, \, ', " and \x1a.
- AddSlashes escapes NUL, ', " and \.
$query = "SELECT * FROM adresses WHERE name='$name' AND private='N'";
mysql_query($query);
?>
Without mysql_escape_string a user could set name to "' OR 1=1 OR ''='"
effectively leading to the query:
SELECT * FROM adresses WHERE name='' OR 1=1 OR ''='' AND private='N'
-->