ID: 26230 Updated by: [EMAIL PROTECTED] Reported By: icemaze at tiscalinet dot it -Status: Open +Status: Bogus Bug Type: MySQL related Operating System: Linux 2.6 PHP Version: 4.3.3 New Comment:
Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php Backquotes are used to escape field names. Previous Comments: ------------------------------------------------------------------------ [2003-11-12 18:57:17] icemaze at tiscalinet dot it Description: ------------ I think mysql_escape_string() and mysql_real_escape_string() should escape backquotes to avoid potential security problems in case an application uses an input field as the name for a table or for a field. So... Reproduce code: --------------- <? $name = $_POST["name"]; $ename = mysql_real_escape_string($name); print("'$name' => '$ename'"); @mysql_query("INSERT INTO `$ename` SET `blah`='blah'"); ?> Expected result: ---------------- '` SET `protectedfield`=1' => '\` SET \`protectedfield \`=1' Actual result: -------------- '` SET `protectedfield`=1' => '` SET `protectedfield`=1' This way the query modifies a field which was not supposed to be modified. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=26230&edit=1
