|
|
Posted by Toby A Inkster on 03/11/07 08:15
dajava wrote:
> he doesn't know rational behind mysql_real_escape_string.
The rationale is thus:
The apostrophe character (') has a special meaning in SQL in that it
delimits (i.e. marks the beginning and end of) text. For example:
UPDATE my_table SET my_col='Hello World!';
Now, imagine that your text contains an apostrophe:
UPDATE my_table SET my_col='It's Raining Men';
Because the apostrophe is used to mark the end of some text, the above is
interpreted by the SQL engine as:
UPDATE my_table SET my_col='It'
with some spurious text after it.
mysql_real_escape_string(), and equivalent functions for other databases,
is used to encode the apostrophes (and other special characters) to make
them safe to use in SQL.
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux
* = I'm getting there!
Navigation:
[Reply to this message]
|