At 0:07 +0000 3/12/03, Lai Liu-yuan wrote:
>Thanks for your reply.
>But, what then is the role of mysql_real_query? In document, it says
>"You must use mqsql_real_query for queries that contain binary data"?
That doesn't mean the data values don't need to be properly escaped.
What if you put a binary value containing a quote within quotes?
Result: malformed query.
mysql_real_query() uses a string and a length to indicate how long the
string is. It won't be fooled by the presence of an ASCII 0 value within
mysql_query() uses a null-terminated string. It *will* be fooled by the
presence of an ASCII 0 value within the string. Specifically, it will
think the string ends at that 0, rather than where you want it to end.