|
Posted by Michael Fesser on 08/14/07 13:51
..oO(Pugi!)
>So my question: can you do without mysql_real_escape_string when using
>prepared sql statements with PEAR DB-package or PDO ?
Yes. That's one reason for using prepared statements - you just tell the
DMBS what kind of data you will send to it, and the server itself takes
care of the proper encoding/escaping if necessary.
>For PDO apparently you can when you use quote() and prepared
>statements.
Forget this method - it kinda defeats the purpose of prepared
statements. From the PDO->quote() manual:
| If you are using this function to build SQL statements, you are
| _strongly_ recommended to use PDO->prepare() to prepare SQL statements
| with bound parameters instead of using PDO->quote() to interpolate
| user input into a SQL statement. [...]
Micha
Navigation:
[Reply to this message]
|