PHP :: Doc Bug #63118 :: mysql_real_escape_string doesn't always prepend backslashes

Doc Bug #63118	mysql_real_escape_string doesn't always prepend backslashes
Submitted:	2012-09-19 16:39 UTC	Modified:	2012-09-20 01:20 UTC
From:	mark at zedwood dot com	Assigned:
Status:	Wont fix	Package:	Documentation problem
PHP Version:	Irrelevant	OS:
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	mark at zedwood dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2012-09-19 16:39 UTC] mark at zedwood dot com

Description:
------------
On:
http://us3.php.net/manual/en/function.mysql-real-escape-string.php

The documentation says: "mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a."

This implies that "\x00" (1 char) escapes to "\\x00" (4 chars).

This is not accurate, it should say "which escapes the following characters", because there are 2 cases where it doesn't just prepend a slash.  For null and CTRL-Z, it turns "\x00" into '\0' and "\x1a" into '\Z'.  If it didn't, it would be vulnerable to buffer overflow.

The mysql C API documentation says, to allocate a buffer of input_length*2+1, implying that each escaped char can only ever escape to a max of 2 chars.
http://dev.mysql.com/doc/refman/4.1/en/mysql-real-escape-string.html

Test script:
---------------
$db  = mysql_connect($host, $user, $pass) or die("err: " . mysql_error());
mysql_select_db($dbname, $db) or die("err: " . mysql_error());
$a = mysql_real_escape_string("\x00\n\r\"'\x1a");
echo $a;

Expected result:
----------------
//expected, based on current documentation:
\x00\n\r\"\'\x1a

Actual result:
--------------
//actual:
\0\n\r\"\'\Z

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-09-20 01:20 UTC] aharvey@php.net

-Status: Open +Status: Wont fix

[2012-09-20 01:20 UTC] aharvey@php.net

I think the wording on that is fine: the use of the word "character" is important there. At any rate, since you don't need to allocate a buffer in PHP, I think the reality is that mysql_real_escape_string() can basically be treated as a black box regardless (unsafe data goes in, safe data comes out).

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 26 06:01:32 2024 UTC