> I prefer PHP Data Objects http://in3.php.net/manual/en/book.pdo.php to
> addslashes and mysql_real_escape_string

I prefer PDO myself.  However, it is not necessarily safer.  When using
prepared statements the parameters are automatically escaped similar to
mysql(i)_real_escape_string, if my reading of the documentation is
correct. But as far as I can tell no escaping is performed on PDO::query
or PDO::exec other than what you do yourself, so you have the same risks
that need to be addressed.

Niel Archer
niel.archer (at) blueyonder.co.uk

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to