----- Original Message ----
> From: Dotan Cohen <dotanco...@gmail.com>
> To: Tommy Pham <tommy...@yahoo.com>
> Cc: php-general. <php-general@lists.php.net>
> Sent: Sat, October 17, 2009 10:59:52 AM
> Subject: Re: [PHP] Sanitizing potential MySQL strings with no database  
> connection
> > I don't think so since the mysql_real_escape_string() requires a connection 
> handler.  Why not use bind param?
> >
> Thanks. I just googled bind param but I am still a bit unclear as to
> what is going on.
> To be clear, I have a file of functions that I use in many scripts,
> lets call it functions.inc. One of the functions calls
> mysql_real_escape_string() but in order to do that it looks like I
> have to connect to a database. However, different scripts connect to
> different databases, and some do not connect to a database at all, so
> I cannot simple connect to a database from the functions.inc file as
> that will interfere with the database connections going on in the
> scripts including that file.
> -- 
> Dotan Cohen
> http://what-is-what.com
> http://gibberish.co.il
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

I assumed the reason you wanted to do escape the string so that you could 
perform DB operations.  In your select/insert/update class(es)/function(s), you 
could just use prepare statement and bind param.  Thus, no need to escape the 
string to protect against injection.  It's also faster if by chance you're 
doing several updates/inserts due to the nature of prepare statement.  You 
could use a call back function in case you have a varying size array of 
parameters, making your code more adaptable and somewhat smaller.  I generally 
prefer using prepare statement + bind param over escape string + query for 
speed and flexibility.


have good examples.


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to