anon
Reputation:
Understading mysql_real_escape_string();
I don't understand why mysql_real_escape_string needs to escape new line and carriage return chars:
\n and \r
What could be the security holes in a sql with \n and \r ?
UPDATE tbl SET field = 'text text text \n text text text \r text text' WHERE id = 1;
Upvotes: 0
Views: 186
Answers (1)
Gumbo
Reputation: 655129
MySQL doesn’t require the newline character to be escaped. The manual page for the mysql_real_escape_string function of MySQL’s C API says:
Characters encoded are “
\”, “'”, “"”,NUL(ASCII 0), “\n”, “\r”, and Control+Z. Strictly speaking, MySQL requires only that backslash and the quote character used to quote the string in the query be escaped.mysql_real_escape_string()quotes the other characters to make them easier to read in log files.
Upvotes: 2
Related Questions
- PHP code vulnerable to SQL injection: how to work with `mysql_real_escape_string()`?
- Why mysql_real_escape_string() shouldn't avoid any SQL Injection?
- what does mysql_real_escape_string() really do?
- Correct usage of Mysql real escape strings
- SQL injection, real_escape_string, and quoted queries
- Shortcomings of mysql_real_escape_string?
- PHP's mysql_real_escape_string and MySQL Injection
- Bypassing mysql_real_escape_string's protection
- Sql injection mysql_real_escape_string
- Am I using mysql_real_escape_string right?