On 18 Mar 2013, at 15:08, Matijn Woudt <tijnema@xxxxxxxxx> wrote: > On Mon, Mar 18, 2013 at 2:19 PM, Sebastian Krebs <krebs.seb@xxxxxxxxx>wrote: > >> 2013/3/18 Ken Robinson <kenrbnsn@xxxxxxxxx> >> >>> >>> >>> On 18.03.2013 09:10, Norah Jones wrote: >>> >>>> I am having an string which was have few ' (single quote) and few " >>>> (double quotes) and was not able to insert into the mysql database. I >>>> have replaced them with \' and \" and everything is fine. >>>> Though this are fine now but don't understand the working and I could >>>> have missed few corner cases also. Please suggest the working and also >>>> if there is some better way to achieve this. >>>> >>> >>> You should be using either mysql_real_escape_string or >>> mysqli_real_escape_string (preferably the later) depending on how you're >>> accessing the DB. >> >> >> You shouldn't use ext/mysql at all! >> Use prepared statements with PDO_MYSQL or MySQLi >> >> > And here comes the flame war again... There's no need for it to be a flame war. The mysql extension is officially not recommended for writing new code, so anyone using it should be informed of this fact. I think it should consist of more than "don't use that," but at the very least that should cause the questioner to want to know why. http://php.net/intro.mysql This issue is problematic for exactly the reason Norah demonstrates above: "it's working." Great that in this case it hasn't been left at that, but most will see it work and think they've "got it right." I believe the community has a responsibility to give good advice and recommend best practices as well as directly addressing people's problems, so it's right that things like this get repeatedly pointed out where appropriate. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
