Posted by Toby A Inkster on 03/11/07 08:15

dajava wrote:

> he doesn't know rational behind mysql_real_escape_string.

The rationale is thus:

The apostrophe character (') has a special meaning in SQL in that it
delimits (i.e. marks the beginning and end of) text. For example:

UPDATE my_table SET my_col='Hello World!';

Now, imagine that your text contains an apostrophe:

UPDATE my_table SET my_col='It's Raining Men';

Because the apostrophe is used to mark the end of some text, the above is
interpreted by the SQL engine as:

UPDATE my_table SET my_col='It'

with some spurious text after it.

mysql_real_escape_string(), and equivalent functions for other databases,
is used to encode the apostrophes (and other special characters) to make
them safe to use in SQL.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux

* = I'm getting there!

[Back to original message]