<tg-php@xxxxxxxxxxxxxxxxxxxxxx> writes: > > So if I could broaden the question and ask, in general, what people > recommend for pre-processing data before it goes into a SQL > statement.. for security and for things like making sure > singlequotes and other special characters are escaped properly? > > > htmlentities() > addslashes() (if magic quotes isn't turned on right?) > > What else? > Using some sort of database abstraction library (Pear::Db, Aoddb) also helps. At least Adodb escapes the slashes in a SQL statement before it is sent for execution. Using a library also provides a choke point and you can add your own additional checks in the library without letting the developers worry if they have done all the checks and validations correctly. -- Raj Shekhar Y! : Operations Engineer MySQL DBA, programmer and slacker Y!IM : lunatech3007 home : http://rajshekhar.net blog : http://rajshekhar.net/blog/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
