Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
August 14, 2007, 9:56 am
rate this thread
mysql_real_escape_string in part of my webapp.
I tested input with following text : Hélène 51°56'12'' http://www.mys
3 functions worked correctly and 1 failed:
The one that failed didn't have mysql_real_escape_string and neither
did 2 of the ones that worked: in those 2 I used prepared sql
statements (PEAR DB package). The other that I used was with
So my question: can you do without mysql_real_escape_string when using
prepared sql statements with PEAR DB-package or PDO ?
For PDO apparently you can when you use quote() and prepared
Re: mysql_real_escape_string necessary when using prepared statements
Yes. That's one reason for using prepared statements - you just tell the
DMBS what kind of data you will send to it, and the server itself takes
care of the proper encoding/escaping if necessary.
Forget this method - it kinda defeats the purpose of prepared
statements. From the PDO->quote() manual:
| If you are using this function to build SQL statements, you are
| _strongly_ recommended to use PDO->prepare() to prepare SQL statements
| with bound parameters instead of using PDO->quote() to interpolate
| user input into a SQL statement. [...]