----- Original Message ----
> From: Dotan Cohen <dotanco...@gmail.com>
> To: Tommy Pham <tommy...@yahoo.com>
> Cc: php-general. <firstname.lastname@example.org>
> Sent: Sat, October 17, 2009 10:59:52 AM
> Subject: Re: [PHP] Sanitizing potential MySQL strings with no database
> > I don't think so since the mysql_real_escape_string() requires a connection
> handler. Why not use bind param?
> Thanks. I just googled bind param but I am still a bit unclear as to
> what is going on.
> To be clear, I have a file of functions that I use in many scripts,
> lets call it functions.inc. One of the functions calls
> mysql_real_escape_string() but in order to do that it looks like I
> have to connect to a database. However, different scripts connect to
> different databases, and some do not connect to a database at all, so
> I cannot simple connect to a database from the functions.inc file as
> that will interfere with the database connections going on in the
> scripts including that file.
> Dotan Cohen
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
I assumed the reason you wanted to do escape the string so that you could
perform DB operations. In your select/insert/update class(es)/function(s), you
could just use prepare statement and bind param. Thus, no need to escape the
string to protect against injection. It's also faster if by chance you're
doing several updates/inserts due to the nature of prepare statement. You
could use a call back function in case you have a varying size array of
parameters, making your code more adaptable and somewhat smaller. I generally
prefer using prepare statement + bind param over escape string + query for
speed and flexibility.
have good examples.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php