Niel Archer wrote:
I prefer PHP Data Objects http://in3.php.net/manual/en/book.pdo.php to
addslashes and mysql_real_escape_string
I prefer PDO myself. However, it is not necessarily safer. When using
prepared statements the parameters are automatically escaped similar to
mysql(i)_real_escape_string, if my reading of the documentation is
correct.
No, prepared statements are better than that. The database knows that
what you pass in can only be data, and you can't get out of that
"parameter" thus you're safe from sql-injection. (I'm trying to find a
decent doc that explains this but can't find anything).
But as far as I can tell no escaping is performed on PDO::query
or PDO::exec other than what you do yourself, so you have the same risks
that need to be addressed.
Correct. See PDO::Quote (http://www.php.net/manual/en/pdo.quote.php).
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
