[SystemX]

I've been working with MySQL for a while, I'm not getting one thing that why do we escape strings? What does it even mean?

[SickAttack]

It's to prevent SQL injection.

Enter "DROP TABLE `accounts`" on a dialog that processes a query. Try it out (but take caution on what it does).

http://www.w3schools.com/sql/sql_injection.asp

First thing you'll notice beyond that link:

An SQL Injection can destroy your database.

I think that's pretty clear and explains why you should escape strings on queries.

By the way, use the specifier "%q" on the function "format" to escape a string. This would be replaced for the specifier "%s".

[SystemX]

Quote:

Originally Posted by SickAttack It's to prevent SQL injection. Enter "DROP TABLE `accounts`" on a dialog that processes a query. Try it out (but take caution on what it does). http://www.w3schools.com/sql/sql_injection.asp First thing you'll notice beyond that link: An SQL Injection can destroy your database. I think that's pretty clear and explains why you should escape strings on queries. By the way, use the specifier "%q" on the function "format" to escape a string. This would be replaced for the specifier "%s".

Oh thanks, You just explained it in a couple of line. cool. +rep

[Jack_SMalls]

Quote:

Originally Posted by SystemX Oh thanks, You just explained it in a couple of line. cool. +rep

Never trust the client and never trust that their input is safe. Very important when working with SQL in any case.

[SystemX]

Quote:

Originally Posted by Jack_SMalls Never trust the client and never trust that their input is safe. Very important when working with SQL in any case.

Got it!