aidan Wed Aug 11 04:32:24 2004 EDT
Modified files:
/phpdoc/en/reference/mysql/functions mysql-escape-string.xml
Log:
Noted the function is deprecated.
http://cvs.php.net/diff.php/phpdoc/en/reference/mysql/functions/mysql-escape-string.xml?r1=1.9&r2=1.10&ty=u
Index: phpdoc/en/reference/mysql/functions/mysql-escape-string.xml
diff -u phpdoc/en/reference/mysql/functions/mysql-escape-string.xml:1.9
phpdoc/en/reference/mysql/functions/mysql-escape-string.xml:1.10
--- phpdoc/en/reference/mysql/functions/mysql-escape-string.xml:1.9 Mon Jan 5
08:03:26 2004
+++ phpdoc/en/reference/mysql/functions/mysql-escape-string.xml Wed Aug 11 04:32:23
2004
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.9 $ -->
+<!-- $Revision: 1.10 $ -->
<!-- splitted from ./en/functions/mysql.xml, last change in rev 1.62 -->
<refentry id="function.mysql-escape-string">
<refnamediv>
@@ -54,6 +54,15 @@
</example>
</para>
<para>
+ <note>
+ <simpara>
+ This function has been deprecated since PHP 4.3.0.
+ Do not use this function. Use <function>mysql_real_escape_string</function>
+ instead.
+ </simpara>
+ </note>
+ </para>
+ <para>
See also
<function>mysql_real_escape_string</function>,
<function>addslashes</function> and the
@@ -83,3 +92,17 @@
vim: et tw=78 syn=sgml
vi: ts=1 sw=1
-->
+
+- mysql_escape_string calls MySQL's library function of the same name, which prepends
slashes to the following characters: NUL (\x00), \n, \r, \, ', " and \x1a.
+
+- AddSlashes escapes NUL, ', " and \.
+
+$query = "SELECT * FROM adresses WHERE name='$name' AND private='N'";
+
+mysql_query($query);
+?>
+
+Without mysql_escape_string a user could set name to "' OR 1=1 OR ''='"
+
+effectively leading to the query:
+SELECT * FROM adresses WHERE name='' OR 1=1 OR ''='' AND private='N'
\ No newline at end of file
