Tim Traver wrote:
Hi all,
ok, have a relatively complicated architecture of php scripts in place,
and after reading more about SQL injection, want to make sure that I
clean my data completely before I enter it into a MySQL db.
I tend to clean the data on the way into the app, which has many
subroutines that process the data. I've written generic functions to
wrap queries to the database.
So, because I don't yet have an open connection to the database when the
data comes in the front door, or even when I am constructing the query,
I cannot use mysql_real_escape_string to clean the data.
Is there a way to essentially duplicate the mysql_real_escape_string if
you already know the character set that the MySQL db is using ???
When I'm constructing a query, it doesn't make sense to open the
connection just to use that function.
Can I just use the depricated mysql_escape_string ? or is there maybe a
sequence of addcslashes parameters that can accomplish the same thing ???
mysql_escape_string() should be fine. The only difference between the
two is that 'real' uses your connection to determine the current
character set.
--
John C. Nichel IV
Programmer/System Admin (ÜberGeek)
Dot Com Holdings of Buffalo
716.856.9675
jnichel@xxxxxxxxxxxxxxxxxxxxxxxxxxx
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
