On Thu, Mar 5, 2009 at 11:41 AM, Eric Butera <eric.but...@gmail.com> wrote:
> On Thu, Mar 5, 2009 at 12:21 PM, haliphax <halip...@gmail.com> wrote:
>> On Thu, Mar 5, 2009 at 11:08 AM, Eric Butera <eric.but...@gmail.com> wrote:
>>> On Thu, Mar 5, 2009 at 12:00 PM, haliphax <halip...@gmail.com> wrote:
>>>> On Thu, Mar 5, 2009 at 10:52 AM, Eric Butera <eric.but...@gmail.com> wrote:
>>>>> Make sure to always pass your active database connection into the
>>>>> second parameter of mysql_real_escape_string. There could be
>>>>> character set differences between your two servers too that might be
>>>>> causing issues for you. If at all possible I would recommend
>>>>> upgrading to mysqli or pdo and use prepared statements.
>>>> mysqli may not be available to him (PHP4, etc.) and I don't see why he
>>>> should completely switch his procedure if his code will work with the
>>>> addition of the db handle in the function call... but that's my 2c. I
>>>> agree that at some level, it is more beneficial to change all of the
>>>> code you have to use a new method/construct/whatever, but it may not
>>>> be worth it in his case.
>>> Using php4 is beyond irresponsible at this point.
>> Nice quip, but it doesn't do any of us any good who are stuck with
>> PHP4 due to the decisions of people with more clout in the
>> organization than we (like perhaps the OP).
> We heard those arguments for years. Using software with no security
> patches is insane.
I agree! However, there are a lot of insane people that are given the
reigns to decisions that are not the same people who program (and
understand) the applications involved...
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php