I'm setting up a website right now and I was testing for SQL injection with no protection against it. (like before using mysql_real_escape_string) Basically the way I set it up was as follows:
What confused me was that, even though I put no instructions to do so, PHP escapes all mysql characters automatically. I even tried using mysql_real_escape_string() with my queries and it actually inserted the backslashes into the table (i.e. it was being escaped twice)PHP Code:<?php
$blah = $_POST['blah'];
$user = $_COOKIE['user'];
$query = "UPDATE table SET blah='$blah' WHERE username='$user'";
mysql_query($query);
?>
So what's going on here? Did I miss the memo where PHP started auto-escaping mysql queries?




Reply With Quote