mirror of
https://github.com/sigmasternchen/php-doc-en
synced 2025-03-16 00:48:54 +00:00
Arrgh - Didn't read my diffs. Removed notes from bottom of file.
git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@166022 c90b9560-bf6c-de11-be94-00142212c4b1
This commit is contained in:
parent
7725bc8c6b
commit
f18c1e52b4
1 changed files with 2 additions and 16 deletions
|
@ -1,5 +1,5 @@
|
|||
<?xml version="1.0" encoding="iso-8859-1"?>
|
||||
<!-- $Revision: 1.10 $ -->
|
||||
<!-- $Revision: 1.11 $ -->
|
||||
<!-- splitted from ./en/functions/mysql.xml, last change in rev 1.62 -->
|
||||
<refentry id="function.mysql-escape-string">
|
||||
<refnamediv>
|
||||
|
@ -91,18 +91,4 @@ End:
|
|||
vim600: syn=xml fen fdm=syntax fdl=2 si
|
||||
vim: et tw=78 syn=sgml
|
||||
vi: ts=1 sw=1
|
||||
-->
|
||||
|
||||
- mysql_escape_string calls MySQL's library function of the same name, which prepends slashes to the following characters: NUL (\x00), \n, \r, \, ', " and \x1a.
|
||||
|
||||
- AddSlashes escapes NUL, ', " and \.
|
||||
|
||||
$query = "SELECT * FROM adresses WHERE name='$name' AND private='N'";
|
||||
|
||||
mysql_query($query);
|
||||
?>
|
||||
|
||||
Without mysql_escape_string a user could set name to "' OR 1=1 OR ''='"
|
||||
|
||||
effectively leading to the query:
|
||||
SELECT * FROM adresses WHERE name='' OR 1=1 OR ''='' AND private='N'
|
||||
-->
|
Loading…
Reference in a new issue