betz Thu Aug 19 13:00:08 2004 EDT
Modified files:
/phpdoc/en/reference/mysql/functions mysql-real-escape-string.xml
Log:
cut refpurpose
function tags, typos
not only inserting is vulnerable for sql injection
see alsos
http://cvs.php.net/diff.php/phpdoc/en/reference/mysql/functions/mysql-real-escape-string.xml?r1=1.13&r2=1.14&ty=u
Index: phpdoc/en/reference/mysql/functions/mysql-real-escape-string.xml
diff -u phpdoc/en/reference/mysql/functions/mysql-real-escape-string.xml:1.13
phpdoc/en/reference/mysql/functions/mysql-real-escape-string.xml:1.14
--- phpdoc/en/reference/mysql/functions/mysql-real-escape-string.xml:1.13 Thu
Aug 19 07:13:46 2004
+++ phpdoc/en/reference/mysql/functions/mysql-real-escape-string.xml Thu Aug 19
13:00:07 2004
@@ -1,12 +1,11 @@
<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.13 $ -->
+<!-- $Revision: 1.14 $ -->
<!-- splitted from ./en/functions/mysql.xml, last change in rev 1.100 -->
<refentry id="function.mysql-real-escape-string">
<refnamediv>
<refname>mysql_real_escape_string</refname>
<refpurpose>
- Escapes special characters in a string for use in a SQL statement,
- taking into account the current charset of the connection.
+ Escapes special characters in a string for use in a SQL statement
</refpurpose>
</refnamediv>
<refsect1>
@@ -32,13 +31,13 @@
<para>
This function will escape special characters in the
<parameter>unescaped_string</parameter>, taking into account the current
- charset of the connection so that it is safe to place it in a
+ character set of the connection so that it is safe to place it in a
<function>mysql_query</function>. If you wish to insert binary data
you must use this function.
</para>
<para>
- mysql_real_escape_string calls MySQL's library function (mysql_escape_string),
- which prepends slashes to the following characters:
+ <function>mysql_real_escape_string</function> calls MySQL's library function
+ mysql_escape_string, which prepends backslashes to the following characters:
<literal>NULL</literal>, <literal>\x00</literal>, <literal>\n</literal>,
<literal>\r</literal>, <literal>\</literal>, <literal>'</literal>,
<literal>"</literal> and <literal>\x1a</literal>.
@@ -63,11 +62,15 @@
</example>
</para>
<para>
- You must always (with few exceptions) use this function
- to make your data safe before inserting. If you have
+ You must always (with few exceptions) use this function to make your data
+ safe before sending a query to MySQL. If you have
<link linkend="ini.magic-quotes-gpc">magic_quotes_gpc</link> enabled,
- you must first <function>stripslashes</function> your data. If you don't use
- this, you leave yourself open to SQL Injection Attacks. Here's an example:
+ and you are working with data from user input, you must first
+ <function>stripslashes</function> your data. If your data are form other
+ sources and you have <link linkend="ini.magic-quotes-runtime">
+ magic_quotes_runtime</link> enabled, you also have to
+ <function>stripslashes</function> your data. If you don't do so, you leave
+ yourself open to SQL Injection Attacks. Here's an example:
</para>
<para>
<example>
@@ -105,7 +108,7 @@
<