why we use it when coding registration
| SitePoint Sponsor |
why we use it when coding registration
It is used to escape those special characters that would otherwise change the meaning of an SQL command for example the strings inside an SQL query are enclosed in single quotes and so any single quotes in the text need to be escaped as otherwise the first single quote will end the text and the rest of the text will be interpreted as SQL. This is how many databases where the code isn't written properly are broken into since they can use it to add OR 1=1 to the end of the query and so have it run even if other criteria is not met.
Stephen J Chapman
javascriptexample.net, Book Reviews, follow me on Twitter
HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
<input name="html5" type="text" required pattern="^$">
understood
To put an example to felgall's explanation:
Run that query in PHPMyAdmin - it will fetch everything (because for each row, '1' == '1')PHP Code:<?php
$username = "' or '1' = '1";
$query = "SELECT id FROM users WHERE username = '{$username}'";
echo '<p><b>Unescaped Query:</b> ' . $query . '</p>';
$username = mysql_real_escape_string($username);
$query = "SELECT id FROM users WHERE username = '{$username}'";
echo '<p><b>Escaped Query:</b> ' . $query . '</p>';
Jake Arkinstall
"Sometimes you don't need to reinvent the wheel;
Sometimes its enough to make that wheel more rounded"-Molona
Posting Permissions
Bookmarks