|
Posted by Pugi! on 08/14/07 09:56
It is by accident that I noticed that I forgot to use
mysql_real_escape_string in part of my webapp.
I tested input with following text : Hélène 51°56'12'' http://www.mysite.org/folder
3 functions worked correctly and 1 failed:
The one that failed didn't have mysql_real_escape_string and neither
did 2 of the ones that worked: in those 2 I used prepared sql
statements (PEAR DB package). The other that I used was with
mysql_real_escape_string.
So my question: can you do without mysql_real_escape_string when using
prepared sql statements with PEAR DB-package or PDO ?
For PDO apparently you can when you use quote() and prepared
statements.
Pugi
Navigation:
[Reply to this message]
|