> Yes, the mysql_real_escape_string() function uses the databases character encoding to determine how to encode the > string, whereas the older deprecated version mysql_escape_string() required no connection as it always assumed > Latin-1 (as far as I know) Is there such a function that always assumes UTF-8? That's what it always will be. > The data itself only needs to be sanitised just prior to being inserted into the DB anyway, it > shouldn't be used to validate data in any way, there are functions specifically for that. To me, it just seems that the logic > of the script is flawed if you require the data to be sanitised before a connection has been made to the DB. > I am not requiring the data to be sanitised before a connection has been made to the DB. The function that calls mysql_real_escape_string() is in an include file of commonly-reused functions. Scripts that connect to databases and scripts that do not connect to databases include this file. To clarify, the include file contains these funtions: function clean_mysql ($dirty) function clean_html ($dirty) function make_paginated_links_menu ($pages, $difference) function obfuscate_email_address ($address) Not all of the functions are used in all scripts, however, this file of reusable functions is included in all of them. Only the clean_mysql function gives me trouble because it calls mysql_real_escape_string(). -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
