In the case that your comparing a field to a field in the database (the field name) do you escape that or because it is hardcoded you dont need to? My thoughts are that you need to escape all data going in.
Correct. A field name is not data though. You've already validated it (somehow, either by hardcoding it, or checking it against field names to make sure it's a proper field and doesn't contain weird chars).
But I do not know if it will match. EG: /** * updateProduct */ function updateProduct($ProductName, $field, $value){ $q = "UPDATE ".TBL_PRODUCTS." SET ".$field." = '".mysql_real_escape_string($value)."' WHERE ProductName = '".mysql_real_escape_string($ProductName)."'"; return $this->query($q); } Do I escape $field? mysql_real_escape_string($field)?
You can only escape data, not field or table (or database) names. -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php