|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[1998-04-01 00:13 UTC] rasmus
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat Dec 21 17:01:58 2024 UTC |
$query = "INSERT INTO table1 (name, comment, age) VALUES ('$name', '$comment', $age)"; When building the above SQL statement with magic quotes turned on and set to sybase style the fellowing happens. If $comment contains a double quote or a back slash the string $query will evaluate to "INSERT INTO table1 (name, comment, age) VALUES ('$name', '$comment'" Otherwise it will evaluate to the expected "INSERT INTO table1 (name, comment, age) VALUES ('$name', '$comment', $age)" for example if the values posted from the web are as follows. $name = "jo bob" $comment = "My favorite quote "work is fun" is not representative of how I feel today" $age = "33" The resulting string $query will be "INSERT INTO table1 (name, comment, age) VALUES ('jo bob', 'My favorite quote "work is fun" is not representative of how I feel today" But it should be "INSERT INTO table1 (name, comment, age) VALUES ('jo bob', 'My favorite quote "work is fun" is not representative of how I feel today', 33"