You are here: Re: mysql_real_escape_string necessary when using prepared statements « All PHP « IT news, forums, messages
Re: mysql_real_escape_string necessary when using prepared statements

Posted by Michael Fesser on 08/14/07 13:51

..oO(Pugi!)

>So my question: can you do without mysql_real_escape_string when using
>prepared sql statements with PEAR DB-package or PDO ?

Yes. That's one reason for using prepared statements - you just tell the
DMBS what kind of data you will send to it, and the server itself takes
care of the proper encoding/escaping if necessary.

>For PDO apparently you can when you use quote() and prepared
>statements.

Forget this method - it kinda defeats the purpose of prepared
statements. From the PDO->quote() manual:

| If you are using this function to build SQL statements, you are
| _strongly_ recommended to use PDO->prepare() to prepare SQL statements
| with bound parameters instead of using PDO->quote() to interpolate
| user input into a SQL statement. [...]

Micha

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация