php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #26230 mysql_escape_string() and mysql_real_escape_string() should escape backquotes
Submitted: 2003-11-12 18:57 UTC Modified: 2003-11-12 20:43 UTC
From: icemaze at tiscalinet dot it Assigned:
Status: Not a bug Package: MySQL related
PHP Version: 4.3.3 OS: Linux 2.6
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: icemaze at tiscalinet dot it
New email:
PHP Version: OS:

 

 [2003-11-12 18:57 UTC] icemaze at tiscalinet dot it 
Description:
------------
I think mysql_escape_string() and 
mysql_real_escape_string() should escape backquotes to 
avoid potential security problems in case an application 
uses an input field as the name for a table or for a 
field. So... 

Reproduce code:
---------------
<?
	$name = $_POST["name"];
	$ename = mysql_real_escape_string($name);
	print("'$name' => '$ename'");
	@mysql_query("INSERT INTO `$ename` SET `blah`='blah'");
?>

Expected result:
----------------
'` SET `protectedfield`=1' => '\` SET \`protectedfield
\`=1' 

Actual result:
--------------
'` SET `protectedfield`=1' => '` SET `protectedfield`=1' 
 
This way the query modifies a field which was not supposed 
to be modified.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-11-12 20:43 UTC] iliaa@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Backquotes are used to escape field names.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Oct 27 02:00:01 2025 UTC