ID: 30424
User updated by: tomer at ivrit dot org dot il
Reported By: tomer at ivrit dot org dot il
Status: Open
Bug Type: MySQL related
Operating System: Linux
PHP Version: 5.0.1
New Comment:
Sorry from all the testing I confused it up.
It won't return an error but instead it will submit only the 'a'
character and drop the rest of the string after it.
Previous Comments:
------------------------------------------------------------------------
[2004-10-13 21:42:46] tomer at ivrit dot org dot il
Description:
------------
It seems that mysql_real_escape_string fails to escape
the string 'a"b`c'd/e\f' (without the surrounding quotes)
right..
Reproduce code:
---------------
While magic_quotes_gpc are off and submitting on a POST form:
a"b`c'd/e\f
$query = sprintf("UPDATE tbl SET field='%s'",
mysql_real_escape_string($_POST['name']));
$result = mysql_query($query);
Expected result:
----------------
The mysql_error() will be a syntax error of course..
Actual result:
--------------
You have an error in your SQL syntax near 'd/e\f', ...
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=30424&edit=1
