|
Posted by Chris Shiflett on 03/27/05 06:45
tg-php@gryffyndevelopment.com wrote:
> So if I could broaden the question and ask, in general, what people
> recommend for pre-processing data before it goes into a SQL
> statement.
For escaping, I recommend an escaping function specific to your
database. These exist for most popular databases. As a last resort, you
can escape with addslashes(), but only if your database doesn't have a
native escaping function and also escapes things like single and double
quotes with a backslash.
> htmlentities()
This is an escaping function for HTML, not SQL. For HTML, I think it's
the best. :-)
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
[Back to original message]
|