German Geek wrote:
>Ah, ic. Mh, why wouldn't a function like that function without a db
>connection? Does it use the db? Isn't that less efficient?
It doesn't use the db - at least, it doesn't make a call to the db. It
probably wants a db resource handle so that it can know what character
set it is meant to be handling, which is established as a property on
the connection.
>I might just use
>str_replace, because i can't think of any way that one could get a sql
>injection into
>
>str_replace("'", "\\\'", $value); // might need to replace a literal \ too.
>
>If you can, please enlighten me.
And also: NUL, LF, CR, " and ^Z
Or you could just call mysql_real_escape_string and know that you
haven't coded your str_replace with some hole in it :)
--
Ross McKay, Toronto, NSW Australia
"The chief cause of problems is solutions" -Eric Sevareid
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
