Just looking for opinions on sql injection while using prepared statements. I've read at the oci8 extention that content should not be "escaped" --- Do not use magic_quotes_gpc or addslashes() and oci_bind_by_name() simultaneously as no quoting is needed and any magically applied quotes will be written into your database as oci_bind_by_name() is not able to distinguish magically added quotings from those added intentionally. --- I've also been told something similar to this from the author of the ODBTP php extention (http://odbtp.sourceforge.net/). So Im guessing that this is how "prepared" statements are done on other databases. After being trained to do it one way (always escaping "bad" content), Im being shown to do it the other way, and Im looking for any suggestions you may have. Thanks. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
