On Mon, April 2, 2007 1:32 pm, Chris Shiflett wrote: > Richard Lynch wrote: >> Should one be ultra-conservative and just do: >> $foo_sql = mysql_real_escape_string($connection); > > I don't consider this (escaping) to be particularly conservative; it's > appropriate for any data you want to use in an SQL query that's being > sent to MySQL. > > Filtering is different - making sure something is what you expect. > Escaping makes sure that something isn't mistaken for something else > in > a different context, and mysql_real_escape_string() takes character > encoding into consideration, protecting you against edge cases like > this: > > http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string I meant: "... ultra-conservative and just spend the CPU cycles to ALSO do mysql_real_escape_string after the typecast" I would not ever ever do only the MySQL escape with no filtering. That would be daft. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
