On Sat, 2009-02-21 at 22:55 +1300, German Geek wrote:
> Ah, ic. Mh, why wouldn't a function like that function without a db
> connection? Does it use the db? Isn't that less efficient? I might just use
> str_replace, because i can't think of any way that one could get a sql
> injection into
>
> str_replace("'", "\\\'", $value); // might need to replace a literal \ too.
>
> If you can, please enlighten me.
>
> Maybe if they enter something like \c ?? Like one of the mysql special
> commands? But if it's inside a string literal??
>
> Thanks a lot, i would have never thought about that.
>
> Will try.
>
> Tim-Hinnerk Heuer
>
> http://www.ihostnz.com
> George Burns - "I would go out with women my age, but there are no women my
> age."
>
> 2009/2/21 Ross McKay <rosko@xxxxxxxxxxx>
>
> > On Sat, 21 Feb 2009 19:19:44 +1300, tim@xxxxxxxxxxx wrote:
> >
> > >Can anyone here tell me why mysql_real_escape_string("asdasddas") returns
> > an
> > >empty string?
> >
> > Have you opened a connection to a MySQL database? It won't work without
> > an open connection.
> > --
> > Ross McKay, Toronto, NSW Australia
> > "Let the laddie play wi the knife - he'll learn"
> > - The Wee Book of Calvin
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
It doesn't actually use the connection, but it requires one to be open
before you can use it. You said you're using this on a query anyway, so
why not open the connection to mysql?
Ash
www.ashleysheridan.co.uk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
