Re: Using mysql_real_escape_string without connecting to mysql

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, January 23, 2008 4:04 pm, Dotan Cohen wrote:
> Is the "--" here not treated as the beginning of an SQL comment?

No, because it is inside the apostrophes.

The purpose of mysql_real_escape_string (or using prepared statements)
is to mark up (or separate) the DATA from the QUERY.

The data about to be put into the database being escaped by
mysql_real_escape_string is sufficient to be sure nobody is playing
games with apostrophe followed by -- which could, in theory, insert an
SQL comment or allow them to execute arbitrary SQL code.

-- 
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux