|
|
Posted by -Lost on 07/18/06 09:52
"Mike" <mike@mjfcadsolutions.co.uk> wrote in message
news:1153208200.138238.108630@p79g2000cwp.googlegroups.com...
> Now I still don't understand why. If on a registration page where you
> enter say a username I enter AND ' ' = ' ' and then I check the
> database, its stored it exactly like that - AND ' ' = ' '.
I am not entirely sure about that example (as mysql_real_escape_string would handle it).
I do know however, if you do something like:
print mysql_real_escape_string('m\'m \/ m\'m'); // make sure a connection exists
Results in:
m\'m \\/ m\'m
Where, we actually wanted:
m\\\'m \\/ m\\\'m
addslashes fixes it, but in reality breaks the \\/ (makes it \\\\/). So in closing, I am
greatly interested in what others have to say. I will keep my function that bans all
quotes for now...
-Lost
Navigation:
[Reply to this message]
|