John W. Holmes wrote:
> Then make sure $name has all single quotes escaped within it. If all of
> them are escaped, then it's just a string and can't do any harm. If they
> aren't escaped, then the user can break out of your own SQL and put
> their own.
I'm confused about when I should escape single or double quotes. Should all
quotes be stored as \" or \' in a database as well?
Regarding your suggestion above, is this what I should do? ...
$name = "John AND fname = 'Mary'";
$name = addslashes($name);
// $name now holds: "John AND fname = \'Mary\'"
This forces MySQL to read \' as a character rather than as the beginning of
a variable value. So, in essence, this would produce a mySQL error instead
of executing the query, is that correct?
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php