On Wednesday 09 August 2006 07:49 am, [EMAIL PROTECTED] wrote:
> hi to all.
>
> battling this problem on several forums and mailing lists, I got confused:
> when store string that contains quotations (ie afan's "php" shop) in mysql
> does it have to be stored with backslashes (afan\'s \"php\" shop) or just
> the way it is? my login's telling me the way it is. am I wrong?
Yes, MySQL stores it that way for a specific reason. That is strings are
generally input in the form:
INSERT INTO table (blah) VALUES('blah');
That said, if you didn't have the slash escape, you'd have something like:
INSERT INTO table (blah) VALUES('I'm blah);
Which MySQL would choke on, not knowing what to do with m blah. Also, this is
done to prevent SQL injection, like:
INSERT INTO table (blah) VALUES('[bl' ; DELETE FROM table; SELECT('ah]');
where [] is what the user inputs. Now when displaying, you'll have to
unescape the slashes generally. Unfortunately I can't remember in PHP if
that's because of magic quotes or just the way the db has it stored. My gut
instinct is the former.
> thanks for any help.
>
> -afan
--
Chris White
PHP Programmer/DBaboon
Interfuel
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
