Dotan Cohen wrote:
On 23/01/2008, Jochem Maas <jochem@xxxxxxxxxxxxx> wrote:
I can read, I saw 2 functions the first time. each function cleans *and* escapes.
cleaning is filtering of input.
escaping is preparing for output.
2 concepts.
I see your point.
if the input needs to be stripped of html then it needs that regardless
of the output vector. again removing or not-accepting input if it contains
'--' is a question of filtering/validation ... besides which '--' is quite
acceptable for data stored in a text field but not for a numeric one.
I'm not accepting "--" at all until someone can show me a real world
case where one would use it, without the intention of SQL injection.
How can it be escaped, anyway?
Depends on your app.
-- is an accepted things in emails as a marker for signatures.
Also in mysql_query ; is automatically handled, you can't send multiple
queries to mysql_query and have them execute.
mysql_query() sends an unique query (multiple queries are not supported)
Not sure why the php guys have only done that for mysql_query but there
you go :)
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
