> I assumed the reason you wanted to do escape the string so that you could perform DB operations. Yes, that is my intention. However, the function is found in an include file of functions used in many different scripts, each of which connect to a different database or may not connect to a database at all, so I cannot rely on there existing a database connection. The workaround would be to include this particular function in a separate include file to only be included when a database connection is present, but I would like to find a better way as I find it most maintainable to have all my reused functions in a single file. To give you an idea, the file contains these funtions: function clean_mysql ($dirty) function clean_html ($dirty) function make_paginated_links_menu ($pages, $difference) function obfuscate_email_address ($address) Not all functions are used in all pages, however, this file of reusable functions is included in all of them. Only the clean_mysql function gives me trouble because I cannot ensure a database connection. > In your select/insert/update class(es)/function(s), you could just use prepare statement and bind param. Thus, no need > to escape the string to protect against injection. It's also faster if by chance you're doing several updates/inserts due > to the nature of prepare statement. You could use a call back function in case you have a varying size array of > parameters, making your code more adaptable and somewhat smaller. I generally prefer using prepare statement + > bind param over escape string + query for speed and flexibility. > > http://www.php.net/manual/en/mysqli.prepare.php > http://www.php.net/manual/en/mysqli-stmt.bind-param.php > > have good examples. > Thanks. Going through those pages, I see that it is not what I need. It is good to know, though. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
