07.01.2010, 05:53
The function searches for quotes (', ") in the provided string and removes them. Here's an example:
Let's say you use this MySql query to get someone's user stuff:
If someone fond out the query, he could easily drop the table by changing his name, so the query might become:
So now his name is
Which obviously is a problem, mysql_real_escape_string removes the quotes, which prevents these things from happening.
Read more on SQL injection
Let's say you use this MySql query to get someone's user stuff:
Код:
SELECT * FROM users WHERE name='John'
Код:
SELECT * FROM users WHERE name='John'; DROP TABLE users; SELECT * FROM data WHERE 't'='t'
Код:
John'; DROP TABLE users; SELECT * FROM data WHERE 't'='t
Read more on SQL injection