Jason Wong wrote:

But why do they say in the manual that only the backslash character, and the string quote character needs to be escaped?

I've been able to inject sql queries into form fields that escape the backslash character and quote characters.


Is an example using / and * characters. Many times you can encode your data into some other form that gets past mysql_escape_string(). According to the documentation, mysql_escape_string() is _not_ meant to be used for security purposes. It's meant to be used to escape binary data so you can use it with insert statements. You can use it if you want, but you will be burned by it eventually.

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to