- Modified patch #13180/#29414: use mysql_real_escape_string() to escape

strings rather than addslashes(). mysql_real_escape_string() uses the connections charset settings to properly escape.
author: Dries Buytaert <dries@buytaert.net> 2005-10-13 10:23:17 +0000
committer: Dries Buytaert <dries@buytaert.net> 2005-10-13 10:23:17 +0000
commit: d3211f014ddb029d603592d64d22dca7fcc6bbd5 (patch)
tree: 5d28962a86e8490a693c0d3f037bc54f7d8f8e6d
parent: 5f0e0f364964b46bbaea3390acfe3628d32b0c07 (diff)
download: brdo-d3211f014ddb029d603592d64d22dca7fcc6bbd5.tar.gz
brdo-d3211f014ddb029d603592d64d22dca7fcc6bbd5.tar.bz2
2 files changed, 2 insertions, 2 deletions
diff --git a/includes/database.mysql.inc b/includes/database.mysql.inc
index 2f771d9e6..d816b6dd8 100644
--- a/includes/database.mysql.inc
+++ b/includes/database.mysql.inc
@@ -266,7 +266,7 @@ function db_decode_blob($data) {
  * Prepare user input for use in a database query, preventing SQL injection attacks.
  */
 function db_escape_string($text) {
-  return addslashes($text);
+  return mysql_real_escape_string($text);
 }
 
 /**
diff --git a/includes/database.mysqli.inc b/includes/database.mysqli.inc
index f77709cf2..b0a5278d0 100644
--- a/includes/database.mysqli.inc
+++ b/includes/database.mysqli.inc
@@ -266,7 +266,7 @@ function db_decode_blob($data) {
  * Prepare user input for use in a database query, preventing SQL injection attacks.
  */
 function db_escape_string($text) {
-  return addslashes($text);
+  return mysql_real_escape_string($text);
 }
author	Dries Buytaert <dries@buytaert.net>	2005-10-13 10:23:17 +0000
committer	Dries Buytaert <dries@buytaert.net>	2005-10-13 10:23:17 +0000
commit	d3211f014ddb029d603592d64d22dca7fcc6bbd5 (patch)
tree	5d28962a86e8490a693c0d3f037bc54f7d8f8e6d
parent	5f0e0f364964b46bbaea3390acfe3628d32b0c07 (diff)
download	brdo-d3211f014ddb029d603592d64d22dca7fcc6bbd5.tar.gz brdo-d3211f014ddb029d603592d64d22dca7fcc6bbd5.tar.bz2