Re: Using mysql_real_escape_string without connecting to mysql

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dotan Cohen wrote:
On 23/01/2008, Jochem Maas <jochem@xxxxxxxxxxxxx> wrote:
I can read, I saw 2 functions the first time. each function cleans *and* escapes.

cleaning is filtering of input.
escaping is preparing for output.

2 concepts.

I see your point.

if the input needs to be stripped of html then it needs that regardless
of the output vector. again removing or not-accepting input if it contains
'--' is a question of filtering/validation ... besides which '--' is quite
acceptable for data stored in a text field but not for a numeric one.

I'm not accepting "--" at all until someone can show me a real world
case where one would use it, without the intention of SQL injection.
How can it be escaped, anyway?

Depends on your app.

-- is an accepted things in emails as a marker for signatures.


Also in mysql_query ; is automatically handled, you can't send multiple queries to mysql_query and have them execute.

mysql_query() sends an unique query (multiple queries are not supported)



Not sure why the php guys have only done that for mysql_query but there you go :)

--
Postgresql & php tutorials
http://www.designmagick.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux