On Sat, 2009-02-21 at 22:55 +1300, German Geek wrote: > Ah, ic. Mh, why wouldn't a function like that function without a db > connection? Does it use the db? Isn't that less efficient? I might just use > str_replace, because i can't think of any way that one could get a sql > injection into > > str_replace("'", "\\\'", $value); // might need to replace a literal \ too. > > If you can, please enlighten me. > > Maybe if they enter something like \c ?? Like one of the mysql special > commands? But if it's inside a string literal?? > > Thanks a lot, i would have never thought about that. > > Will try. > > Tim-Hinnerk Heuer > > http://www.ihostnz.com > George Burns - "I would go out with women my age, but there are no women my > age." > > 2009/2/21 Ross McKay <rosko@xxxxxxxxxxx> > > > On Sat, 21 Feb 2009 19:19:44 +1300, tim@xxxxxxxxxxx wrote: > > > > >Can anyone here tell me why mysql_real_escape_string("asdasddas") returns > > an > > >empty string? > > > > Have you opened a connection to a MySQL database? It won't work without > > an open connection. > > -- > > Ross McKay, Toronto, NSW Australia > > "Let the laddie play wi the knife - he'll learn" > > - The Wee Book of Calvin > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > It doesn't actually use the connection, but it requires one to be open before you can use it. You said you're using this on a query anyway, so why not open the connection to mysql? Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php