On Thu, 26 Feb 2004 18:07:40 +0100, Matthias Esken
<mu******************@usenetverwaltung.org> wrote:
> mysql_escape_string($rawstring)
But will that guarantee that the query can never be hacked?
Is that the common way of solving the problem?
If you use MySQL: Yes.
What do you mean? it is called 'MYSQL_escape_string(...)' so you must be
using MySQL.
Yes.
Or are you saying that adding an escape string is only safe with MySQL.
I think it should be safe with other databases, but I don't know every
existing RDBMS around, so I don't know if this will work everywhere.
Sensible databases support bind variables/placeholders, separating data from
the SQL, and so avoiding the issue entirely.
--
Andy Hassall <an**@andyh.co.uk> / Space: disk usage analysis tool
<http://www.andyh.co.uk> / <http://www.andyhsoftware.co.uk/space>