[Phpmyadmin-devel] mysql(i)_real_escape_string()

Marc Delisle Marc.Delisle at cegepsherbrooke.qc.ca
Fri Oct 21 06:26:51 CEST 2005


Sebastian Mendel a ├ęcrit :
> Hi,
> 
> how does phpMyAdmin normaly escapes string inserted in sql querys?
> or
> why is there no function like PMA_DBI_escapeString() ?
> 

We are not using escaping, and I don't think we should do.
A few months ago I had a look at our login panel and I don't think there 
is an injection problem there.

IMO there are two situations here.

1. If you are talking about what we do with queries coming from users, 
for example in sql.php, users need to be able to send any query here.

2. If you found some place where we build a query in PMA and there could 
be an injection problem, please tell us (not on this list :)  )

Marc

Marc




More information about the Developers mailing list