Dotan Cohen wrote:
On 23/01/2008, mike <mike503@xxxxxxxxx> wrote:
It would be Real Nifty (tm) if the MySQL API had a function that let
you specify the charset without a connection and did the escaping.
Presumably you don't NEED a connection if you already know what
charset thingie you are aiming at...
I concur - it would be nice to have the capability to have a normal
string escape function and give it a character set. I mean we should
all be using utf-8 anyway, right?
I'd be interested in hearing an argument against UTF-8, other than the
disk space argument.
Right now I still use mysql_escape_string and it seems to work fine,
but it makes me nervous as everything else I use is mysqli and I know
it is not 100% compatible (just haven't had anything break it yet) -
but I hate having to have a connection handle open just to escape
things.
I think it was here on this list that we saw an example of SQL
injection despite the use of mysql_escape_string. Some funky Asian
charset was used, no?
Nope.
This article explains all I think:
http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
