I use this function everytime im going to save any data in a sql sentence:
function q($s,$string=false) {
$s = mysql_real_escape_string($s);
# Adds quotes if is string
if ($string) { $s = "'".$s."'"; }
return $s;
}
Example of use:
$sql = 'SELECT * FROM tableXYZ WHERE id='.q($id);
Or:
$sql = 'SELECT * FROM tableXYZ WHERE title='.q($title,true);
Do you think is enough? (it must work in environments with magic_quotes on¦off)
Andres
------------------------ Yahoo! Groups Sponsor --------------------~-->
Get to your groups with one click. Know instantly when new email arrives
http://us.click.yahoo.com/.7bhrC/MGxNAA/yQLSAA/saFolB/TM
--------------------------------------------------------------------~->
PHP Data object relational mapping generator
http://www.metastorage.net/
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/php-objects/
<*> To unsubscribe from this group, send an email to:
php-objects-unsubscribe@xxxxxxxxxxxxxxx
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
