I try to understand manually escaping in PHP. I read this example:
if ($_POST) { $query = 'UPDATE hersteller SET zulieferer = \''.mysql_real_escape_string($_POST['zulieferer']).'\', telefon = \''.mysql_real_escape_string($_POST['telefon']).'\', city = \''.mysql_real_escape_string($_POST['telefax']).'\' WHERE id = '.$_POST['id']; $update = mysql_query ($query) or die (mysql_error()); }
The statement starts by an apostrophe. Unfortunately I couldn't find a discription.
1st part? 'UPDATE hersteller SET zulieferer = \'
2nd part? '.mysql_real_escape_string($_POST['zulieferer']).'
3rd part? ', telefon = \'
4th part? '.mysql_real_escape_string($_POST['telefon']).'