Posted by Kimmo Laine on 05/28/05 21:01

"Dave Moore" <dave_m_moore@post2me.freeserve.co.uk> kirjoitti
viestiss�:d7aaq1$ggu$1@newsg1.svr.pol.co.uk...
> Hi All,
> Can anybody point me to a FAQ or similar that describes what all this
> stuff is about please?. I'm interfacing with a MySQL database if that's
> relavent. I've read a couple of books which refer to stripslahes and
> 'escaping' but nothing really explains what these terms are and why these
> are used. Why is 'escaping' (whatever that is) used?. What the hell is a
> magic quote?. How is it different from a non-magic one?.
>


Imagine you have a database where you insert names. You use a SQL query:
INSERT INTO names VALUES('John Doe')

Here the name John Doe is isolated with pair of '' quotes. That's how MySQL
knows where the name begins and where it ends.

Now an italian guy comes with a name like Giovanni D'Angelo. Look what
happens:
INSERT INTO names VALUES('Giovanni D'Angelo')

Here MySQL sees a string Giovanni D and some crap after that, since it
interprets the first occurance of ' as the end of the string. This is:
unless it is ESCAPED. Escaping means we tell MySQL that the particular ' is
in fact a part of the string and not the ending quote:

INSERT INTO names VALUES('Giovanni D\'Angelo')

the ' in D'Angelo is escaped with backslash: \' . Now MySQL bypasses it
thanks to the escaping and sees the string as "Giovanni D'Angelo" and works
correctly.

Magic Quotes is a mechanism of PHP that automatically escapes all user
inputs. So that when D'Angelo typed his name and submitted the form, it
comes to PHP already escaped, as "Giovanni D\'Angelo" and you don't have to
worry about it. If the magic qoutes are turned off, you need to do the
escaping by yourself for each input you want. And addslashes does just this.

--
"I am pro death penalty. That way people learn
their lesson for the next time." -- Britney Spears

eternal.erectionN0@5P4Mgmail.com

[Back to original message]