In some earlier thread (I really don't want to dig to find it) I argued for running mysql_real_escape_string right on the _POST

I must concede I was definitely wrong about that.

The right place to do it is in a database abstraction class that does the actual insert for you, so that if you need to move your app to a different DB backend you just need to add the proper support to your abstraction class for the new DB.

Let it take care of the escaping when it inserts.

Anywhoo, that being said, does anyone have a suggestion for a good database abstraction class?

Preferably one that already has decent support for several open source databases?

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to