Hi all. I picked up the following code example from the php manual:
-
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
-
OR die(mysql_error());
-
-
// Query
-
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
-
mysql_real_escape_string($user),
-
mysql_real_escape_string($password));
My question is, shouldn't we be escaping the ' in the sprintf statement with backslashes? Like this? -->
- $query = sprintf("SELECT * FROM users WHERE user=\'%s\' AND password=\'%s\'",
-
mysql_real_escape_string($user),
-
mysql_real_escape_string($password));
I'm kind of confused with all this. When are we supposed to put the backslashes?? Please somebody help.
Also, while you pros are at it, I'll really appreciate it if you could tell me if these two strings are the same:
String A:
- char A[] = "Hello. 'How are you' "
String B:
- char B[] = "Hello. \'How are you\'"
Because both print Hello. 'How are you' on the screen on using printf.
Also, both have the same string lengths.
I'm wondering why we need to escape the 's at all if they print the same string and are of the same length as well.
Sorry if the question is uber-dumb.
Thanks in advance,
Sid
