|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #63118 mysql_real_escape_string doesn't always prepend backslashes
Submitted: 2012-09-19 16:39 UTC Modified: 2012-09-20 01:20 UTC
From: mark at zedwood dot com Assigned:
Status: Wont fix Package: Documentation problem
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: mark at zedwood dot com
New email:
PHP Version: OS:


 [2012-09-19 16:39 UTC] mark at zedwood dot com

The documentation says: "mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a."

This implies that "\x00" (1 char) escapes to "\\x00" (4 chars).

This is not accurate, it should say "which escapes the following characters", because there are 2 cases where it doesn't just prepend a slash.  For null and CTRL-Z, it turns "\x00" into '\0' and "\x1a" into '\Z'.  If it didn't, it would be vulnerable to buffer overflow.

The mysql C API documentation says, to allocate a buffer of input_length*2+1, implying that each escaped char can only ever escape to a max of 2 chars.

Test script:
$db  = mysql_connect($host, $user, $pass) or die("err: " . mysql_error());
mysql_select_db($dbname, $db) or die("err: " . mysql_error());
$a = mysql_real_escape_string("\x00\n\r\"'\x1a");
echo $a;

Expected result:
//expected, based on current documentation:

Actual result:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2012-09-20 01:20 UTC]
-Status: Open +Status: Wont fix
 [2012-09-20 01:20 UTC]
I think the wording on that is fine: the use of the word "character" is important there. At any rate, since you don't need to allocate a buffer in PHP, I think the reality is that mysql_real_escape_string() can basically be treated as a black box regardless (unsafe data goes in, safe data comes out).
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue May 28 00:01:32 2024 UTC