On Thu, Mar 5, 2009 at 11:41 AM, Eric Butera <eric.butera@xxxxxxxxx> wrote: > On Thu, Mar 5, 2009 at 12:21 PM, haliphax <haliphax@xxxxxxxxx> wrote: >> On Thu, Mar 5, 2009 at 11:08 AM, Eric Butera <eric.butera@xxxxxxxxx> wrote: >>> On Thu, Mar 5, 2009 at 12:00 PM, haliphax <haliphax@xxxxxxxxx> wrote: >>>> On Thu, Mar 5, 2009 at 10:52 AM, Eric Butera <eric.butera@xxxxxxxxx> wrote: >>>>> Make sure to always pass your active database connection into the >>>>> second parameter of mysql_real_escape_string. There could be >>>>> character set differences between your two servers too that might be >>>>> causing issues for you. If at all possible I would recommend >>>>> upgrading to mysqli or pdo and use prepared statements. >>>> >>>> mysqli may not be available to him (PHP4, etc.) and I don't see why he >>>> should completely switch his procedure if his code will work with the >>>> addition of the db handle in the function call... but that's my 2c. I >>>> agree that at some level, it is more beneficial to change all of the >>>> code you have to use a new method/construct/whatever, but it may not >>>> be worth it in his case. >>> >>> Using php4 is beyond irresponsible at this point. >> >> Nice quip, but it doesn't do any of us any good who are stuck with >> PHP4 due to the decisions of people with more clout in the >> organization than we (like perhaps the OP). >> >> :p > > We heard those arguments for years. Using software with no security > patches is insane. I agree! However, there are a lot of insane people that are given the reigns to decisions that are not the same people who program (and understand) the applications involved... :( -- // Todd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
