From: Rene Veerman [mailto:rene7705@xxxxxxxxx] > On Mon, Feb 22, 2010 at 9:39 PM, Slack-Moehrle >> >> Single quotes is best, correct to prevent sql injection? > > sql injection fixing is an evolving art, but you can start by pushing > all variables that can be changed by end-users going into a database > through a marshalling-function fixSQLinjectionToDB ($var) { return > addslashes($var); }; > addslashes is the minimum fix i believe, but google around and give us > back the up-to-date uber-fix-function please :) Slash is the wrong character. The correct SQL escape character is the single quote. The best way to prepare text fields is to use the DB specific escape functions on each text field before assembling the command string, i.e. pg_escape_string(). But that is after all fields have been sanitized and validated. In addition, if magic_quotes is turned on, you also need to remove them before doing the validation. The contributed notes in the online manual have some good suggestions on how to accomplish this. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php