In some earlier thread (I really don't want to dig to find it) I argued
for running mysql_real_escape_string right on the _POST
I must concede I was definitely wrong about that.
The right place to do it is in a database abstraction class that does
the actual insert for you, so that if you need to move your app to a
different DB backend you just need to add the proper support to your
abstraction class for the new DB.
Let it take care of the escaping when it inserts.
Anywhoo, that being said, does anyone have a suggestion for a good
database abstraction class?
Preferably one that already has decent support for several open source
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php