Brad Bonkoski wrote:
All...
A lot has been said recently about the dangers of the family of
magic_quotes...
I understand the dangers.
The question is, for those of us using a database that does not have a
*real_escape_string function...Oracle for example.
What is the *best* way to escape quotes for DB insertion?
looking at the manual I would assume that ora_bind() is the best way of safely
stuffing things into an oracle DB:
http://php.net/manual/en/function.ora-bind.php
if this function is of any worth it *should* be doing any/all proper escaping of
data 'under water' and hopefully much more thoroughly/correctly than anything you/we
could do in userland.
<remark type="biased">
of course you could use firebird DB (php5 interbase extension) and just make use of
the built in parameterized query functionality - which is simple to use, doesn't
require endless reams of parameter binding declaration and is rock solid (i.e. no
matter how crap my input filtering is SQL injection remains impossible ;-))
</remark>
It seems that addslashes gets a lot of flack, but is there any
other/better way?
-Brad
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
