|
Posted by Malcolm Dew-Jones on 06/29/05 02:01
Ken Robinson (kenrbnsn@rbnsn.com) wrote:
: Malcolm Dew-Jones wrote:
: > $id = mysql_escape_string($_REQUEST[id]);
: >
: > $sql = "select * from the_table where ID='$id'";
: >
: >
: > Always escape your values before stuffing them into the sql string, (not
: > just when you think you might need it).
: You can also use urlencode($var) or htmlentities($var,ENT_QUOTES)
: before inserting $var into your database.
You can, but you should still use mysql_escape_string on the result when
you embed it in an sql query being handled by mysql.
--
This space not for rent.
Navigation:
[Reply to this message]
|