On 19/04/2012 20:30, Yvon Thoraval wrote: > > > 2012/4/19 Raymond O'Donnell <rod@xxxxxx <mailto:rod@xxxxxx>> > > Or better still - and easier - use parametrised queries. > > > > Right it is easier something like : > $sql = "categories (idx, ctime, mtime, name) VALUES ( :idx, :ctime, > :mtime, :name);"; > $prep = $db->prepare($sql); > $prep->execute( array(':idx' => $_GET['idx'], ':ctime' => $ctime, > ':mtime' => $mtime, ':name' => $name)); > > no more need to $db->quote() in that case, as : > $name = $db->quote($name); > ??? > I mean, even if $name = "L'envers" ? (ie. with a ' in it ?) Yep - no need to worry about quoting if you use parameters - it's all done for you. It's also MUCH safer, as it makes SQL injection attacks much harder (if not impossible). Ray. -- Raymond O'Donnell :: Galway :: Ireland rod@xxxxxx -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
