PHP :: Bug #13701 :: mysql_escape

Bug #13701	mysql_escape_string() bugged
Submitted:	2001-10-16 19:57 UTC	Modified:	2001-10-23 14:24 UTC
From:	ed3f at phreaker dot net	Assigned:
Status:	Not a bug	Package:	MySQL related
PHP Version:	4.0.6	OS:	OpenBSD 2.9
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ed3f at phreaker dot net
New email:
PHP Version:		OS:

New Comment:

[2001-10-16 19:57 UTC] ed3f at phreaker dot net

mysql_escape_string() is bugged.
It escapes also '\'.
So if I make:

$string = 'Hi \dumb\ man';
$estring = mysql_escape_string($string);

now
$estring = 'Hi \\dumb\\ man';

So I put it in a cell
UPDATE ... SET string='.$estring.'

All ok ?
No!

If I try to SELECT I obtain 
$estring not $string !

This is really annoying for public site powered by MySQL that accept comments.
Also PHP-Nuke have (had?) this problem.

Thanks.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-10-23 14:24 UTC] sander@php.net

Intended behaviour. You are doing something wrong.
You might have magic_quotes_runtime enabled in your php.ini

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Jan 15 12:01:29 2025 UTC