Honestly, just connect to the database earlier in your code... if you insist on not doing that, use mysql_escape_strign and just forget ever moving to Unicode data. On Mon, June 19, 2006 3:58 pm, Tim Traver wrote: > Hi all, > > ok, have a relatively complicated architecture of php scripts in > place, > and after reading more about SQL injection, want to make sure that I > clean my data completely before I enter it into a MySQL db. > > I tend to clean the data on the way into the app, which has many > subroutines that process the data. I've written generic functions to > wrap queries to the database. > > So, because I don't yet have an open connection to the database when > the > data comes in the front door, or even when I am constructing the > query, > I cannot use mysql_real_escape_string to clean the data. > > Is there a way to essentially duplicate the mysql_real_escape_string > if > you already know the character set that the MySQL db is using ??? > > When I'm constructing a query, it doesn't make sense to open the > connection just to use that function. > > Can I just use the depricated mysql_escape_string ? or is there maybe > a > sequence of addcslashes parameters that can accomplish the same thing > ??? > > Thanks, > > Tim. > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
