aidan Wed Aug 11 04:40:28 2004 EDT
Modified files:
/phpdoc/en/reference/mysql/functions mysql-escape-string.xml
Log:
Arrgh - Didn't read my diffs. Removed notes from bottom of file.
http://cvs.php.net/diff.php/phpdoc/en/reference/mysql/functions/mysql-escape-string.xml?r1=1.10&r2=1.11&ty=u
Index: phpdoc/en/reference/mysql/functions/mysql-escape-string.xml
diff -u phpdoc/en/reference/mysql/functions/mysql-escape-string.xml:1.10
phpdoc/en/reference/mysql/functions/mysql-escape-string.xml:1.11
--- phpdoc/en/reference/mysql/functions/mysql-escape-string.xml:1.10 Wed Aug 11
04:32:23 2004
+++ phpdoc/en/reference/mysql/functions/mysql-escape-string.xml Wed Aug 11 04:40:28
2004
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.10 $ -->
+<!-- $Revision: 1.11 $ -->
<!-- splitted from ./en/functions/mysql.xml, last change in rev 1.62 -->
<refentry id="function.mysql-escape-string">
<refnamediv>
@@ -91,18 +91,4 @@
vim600: syn=xml fen fdm=syntax fdl=2 si
vim: et tw=78 syn=sgml
vi: ts=1 sw=1
--->
-
-- mysql_escape_string calls MySQL's library function of the same name, which prepends
slashes to the following characters: NUL (\x00), \n, \r, \, ', " and \x1a.
-
-- AddSlashes escapes NUL, ', " and \.
-
-$query = "SELECT * FROM adresses WHERE name='$name' AND private='N'";
-
-mysql_query($query);
-?>
-
-Without mysql_escape_string a user could set name to "' OR 1=1 OR ''='"
-
-effectively leading to the query:
-SELECT * FROM adresses WHERE name='' OR 1=1 OR ''='' AND private='N'
\ No newline at end of file
+-->
\ No newline at end of file
