The mysql_escape_string() function escapes ' (single quote) and
(double quote) characters. When php recieves information data through a
form, it automatically escapes these characters (tested with php 4.3.5).
Once mysql_escape_string() recieves it, ' and have already been
escaped. In essence,
Jason Wong wrote:
... and is in no way related to metacharacters as defined by the w3c. If
you are having a particular problem please elaborate.
As pointed out by rain forest puppy
http://www.wiretrip.net/rfp/txt/phrack55.txt
All metacharacters as defined by the w3c should be escaped for
Jason Wong wrote:
But why do they say in the manual that only the backslash character, and the
string quote character needs to be escaped?
I've been able to inject sql queries into form fields that escape the
backslash character and quote characters.
