On 6/17/07, PFC <lists@xxxxxxxxxx> wrote:
I either use pg_query_params() which automagically handles all quoting, or an ORM which does the same. There is no reason to include strings in SQL statements except laziness. MySQL does not have a mysql_query_params() for PHP, so you have to write one, it's pretty simple.
Take your pick: - Quotemeta - Addslashes - Htmlentities($string, 'utf-8') - Magic_quotes in the INI - Anti-XSS code (several available online)
Python's (and perl) strength in this respect is that they make it easier to use the safe solution, ie, query( "sql with ? or $1 or %s", arg, arg, arg )
$sql = '"select column from table where field = '%s'; $sql = sprintf($sql, $submittedvariable); ..
PEAR::DB is horrendous.
And hugely unnecessary. EP
