The mysql_escape_string() function escapes ' (single quote) and " (double quote) characters. When php recieves information data through a form, it automatically escapes these characters (tested with php 4.3.5). Once mysql_escape_string() recieves it, ' and " have already been escaped. In essence, instead of escaping ' it's trying to escape \' which results in \\\'. However, once the data is actually inserted into the column, what shows up in the column is just '. But if I echo the variable, it shows up as being \\\' which I don't think is proper behavior.
I also noticed mysql_escape_string() is only meant to escape binary data to be inserted. Consequently it does not escape all metacharacters as defined by the w3c. It would be nice to have a function that did escape all metacharacters that I could just call with $_POST as an arg and have it escape all the variables in $_POST. Something like this, but a builtin function
function sql_escape(&$ESCAPE) {
foreach($ESCAPE as $key=>$val) {
$ESCAPE[$key] = preg_replace('/([\&;\`\\\|*?~<>^\(\)\[\]\{\}\$\n\r])/', "\\" . "\\$1", $ESCAPE[$key]);
} }
-- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
