--- Justin Patrin <[EMAIL PROTECTED]> wrote: > You also shouldn't need addslashes when putting it in. quoteSmart() in > PEAR::DB is a *much* better option.
That's great for those who use PEAR::DB, but it's not very safe to argue against addslashes() based on what's in a specific PEAR module. I would argue that something like mysql_escape_string() is better than addslashes(), so I agree with you for the most part anyway. :-) It all depends on what database is being used and how. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php