Is this normal? Is there some kind of new feature to PHP that does this, or is it MySQL escaping strings? It couldn't be MySQL, because how would MySQL know if what should be escaped and what should not.
It probably would be a good idea to give you an example right about now.
Code: Select all
$queryString = "SELECT * FROM t1 WHERE id = $id AND name = '$name'";
mysql_query($queryString);
On the other hand though. If $id equals "' OR 1", the injection is successful. I guess this is because it's not wrapped in single-quotes. Which leads me to believe that the mysql_query() function is the one who's parsing my passed in string and escaping things. But how would mysql_query know what should be escaped anymore then MySQL itself.
I don't see anywhere in php's manual that explains this. :S