Posted by Oli Filth on 10/06/65 11:31

frizzle said the following on 07/11/2005 14:53:
> Hi groupies,
>
> I have 2 small questions, which i really want to be sure about:
>
> - does mysql_real_escape_string() prevent any kind of mysq-injection?

As long as you use it appropriately. i.e. use it on all string-based
values, and don't allow user input to directly govern query string
structure. Other data-types should be explicitly cast before being used
in a query.


> - can it put escaped quotes etc in the DB, or are those automatically
> 'converted' again?

mysql_real_escape_string() takes all instances of " and converts them to
\", and all instances of \ to \\, etc.

So if your input string already contains \", then it will be converted
to \\\" before being added to the query string. Therefore, (if used in
an INSERT statement), the database will then contain \". When SELECTING
this, the result will still be \".

--
Oli

• Next in forum: Re: 2 small Q's about mysql_real_escape_string()
• Prev in forum: Re: 2 small Q's about mysql_real_escape_string()
• Thread view: Re: 2 small Q's about mysql_real_escape_string()

[Reply to this message]