From d3211f014ddb029d603592d64d22dca7fcc6bbd5 Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Thu, 13 Oct 2005 10:23:17 +0000
Subject: - Modified patch #13180/#29414: use mysql_real_escape_string() to
 escape   strings rather than addslashes().  mysql_real_escape_string() uses
 the   connections charset settings to properly escape.

---
 includes/database.mysql.inc  | 2 +-
 includes/database.mysqli.inc | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'includes')

diff --git a/includes/database.mysql.inc b/includes/database.mysql.inc
index 2f771d9e6..d816b6dd8 100644
--- a/includes/database.mysql.inc
+++ b/includes/database.mysql.inc
@@ -266,7 +266,7 @@ function db_decode_blob($data) {
  * Prepare user input for use in a database query, preventing SQL injection attacks.
  */
 function db_escape_string($text) {
-  return addslashes($text);
+  return mysql_real_escape_string($text);
 }
 
 /**
diff --git a/includes/database.mysqli.inc b/includes/database.mysqli.inc
index f77709cf2..b0a5278d0 100644
--- a/includes/database.mysqli.inc
+++ b/includes/database.mysqli.inc
@@ -266,7 +266,7 @@ function db_decode_blob($data) {
  * Prepare user input for use in a database query, preventing SQL injection attacks.
  */
 function db_escape_string($text) {
-  return addslashes($text);
+  return mysql_real_escape_string($text);
 }
 
 
-- 
cgit v1.2.3