Jochem Maas wrote:
Brad Bonkoski wrote:
All...
A lot has been said recently about the dangers of the family of
magic_quotes...
I understand the dangers.
The question is, for those of us using a database that does not have
a *real_escape_string function...Oracle for example.
What is the *best* way to escape quotes for DB insertion?
It seems that addslashes gets a lot of flack, but is there any
other/better way?
if this is about escaping single quotes (and there maybe other stuff
that needs
escaping - stuff I can't think of right now - stuff that may or may
not be related
to the encoding one is using [e.g. unicode]) then one should be
escaping single quotes
with single quotes:
UPDATE blatable SET blafield = 'my ''blablabla''';
which all decent/recent DBMS' support IIRC.
Understood what the esacpe character needs to be...the question is the
best way to get it there?
Currently I have:
magic_quotes_sybase = On
so a function call like addslashes() would actually escape single quotes
with another single quote...
Is there a better/more secure wahy?
-Brad
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
