Re: mysql_real_escape_string paranoid enough?

tedd <tedd.sperling@xxxxxxxxx> · Sat, 21 Mar 2009 09:10:48 -0400

At 11:41 AM -0500 3/20/09, Richard Lynch wrote:
I typically do something like this:

$data_sql = mysql_real_escape_string($data, $connection);
$query = "insert into data(data) values('$data_sql')";
$insert = mysql_query($query, $connection);
if (!$insert){
  trigger_error(mysql_error($connection), E_USER_ERROR);
}

Richard:

Isn't this --

$insert = mysql_query($query, $connection);
if (!$insert){
  trigger_error(mysql_error($connection), E_USER_ERROR);
}

-- the same as:

$result = mysql_query($query) or 
die(trigger_error(mysql_error($connection), E_USER_ERROR)));

Why not use die?

----

For error reporting, I use this:

$result = mysql_query($query) or die(report($query,__LINE__ ,__FILE__));

Where:

function report($query, $line, $file)
	{
	echo($query . '<br />' .$line . '<br />' . $file . '<br />' . 
mysql_error());
	}

HTH's

tedd
--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php