> You should in pretty much all cases be safe with just using the > mysql_real_escape_string, which takes care of the - for you as well. > If I remember correctly, TFM once stated that mysql_real_escape_string does not prevent SQL injection attacks, though I am hard pressed to think of what it _is_ for, then. I now see that the manual has this note: "Note: If this function is not used to escape data, the query is vulnerable to SQL Injection Attacks." Does that necessarily imply this: "If this function is used to escape data, the query is not vulnerable to SQL Injection Attacks."? Logically, it does _not_ mean the same thing. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
