I have a related question, many of you have suggested using addslashes on your variables to prevent SQL injections, but is it safer to use mysql_real_escape_string (or mysql_escape_string)? What is the benefit / cost of using mysql_real_escape_string rather than addslashes? When using Postgres i always use pg_escape_string on anything i send the DB's way. In fact the manual says specifically to use pg_escape_string rather than addslashes (however it doesn?t give that advice in mysql_real_escape_string )... http://us3.php.net/manual/en/function.pg-escape-string.php Not being familiar with the internals of any of these functions, i'm wondering which are safer or do they do approximately the same thing? Is there any difference in performance? Which method do you use and why? -k. __________________________________ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
