On Mon, 04 Aug 2008 08:33:44 +0200, Per Jessen <per@xxxxxxxxxxxx> wrote: > Larry Garfield wrote: > >> IIRC, the way in SQL to circumvent that is to convert "100%" into >> "100%%". However, that does rather defeat the purpose of a prepared >> statement if I have to do my own escaping anyway, does it not?=20 > > Depends on what you perceive the purpose of the prepared statement to > be :-) In this context, I tend to think of performance only. Which is= > > generally why I can't be bothered with prepared statements in php.=20 Actually in most cases in PHP you don't get much performance. What you do get is added security, because prepared statements are cleaner than cleaner and more reliable than string escaping. Of course, then we run into the % problem above. --Larry Garfield -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
