PHP :: Bug #26230 :: mysql_escape_string() and mysql_real_escape

Bug #26230	mysql_escape_string() and mysql_real_escape_string() should escape backquotes
Submitted:	2003-11-12 18:57 UTC	Modified:	2003-11-12 20:43 UTC
From:	icemaze at tiscalinet dot it	Assigned:
Status:	Not a bug	Package:	MySQL related
PHP Version:	4.3.3	OS:	Linux 2.6
Private report:	No	CVE-ID:	None

View Developer Edit

[2003-11-12 18:57 UTC] icemaze at tiscalinet dot it

Description:
------------
I think mysql_escape_string() and 
mysql_real_escape_string() should escape backquotes to 
avoid potential security problems in case an application 
uses an input field as the name for a table or for a 
field. So... 

Reproduce code:
---------------
<?
	$name = $_POST["name"];
	$ename = mysql_real_escape_string($name);
	print("'$name' => '$ename'");
	@mysql_query("INSERT INTO `$ename` SET `blah`='blah'");
?>

Expected result:
----------------
'` SET `protectedfield`=1' => '\` SET \`protectedfield
\`=1' 

Actual result:
--------------
'` SET `protectedfield`=1' => '` SET `protectedfield`=1' 
 
This way the query modifies a field which was not supposed 
to be modified.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-11-12 20:43 UTC] iliaa@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Backquotes are used to escape field names.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jul 01 15:01:38 2025 UTC