> I assumed the reason you wanted to do escape the string so that you could 
> perform DB operations.

Yes, that is my intention. However, the function is found in an
include file of functions used in many different scripts, each of
which connect to a different database or may not connect to a database
at all, so I cannot rely on there existing a database connection. The
workaround would be to include this particular function in a separate
include file to only be included when a database connection is
present, but I would like to find a better way as I find it most
maintainable to have all my reused functions in a single file.

To give you an idea, the file contains these funtions:
function clean_mysql ($dirty)
function clean_html ($dirty)
function make_paginated_links_menu ($pages, $difference)
function obfuscate_email_address ($address)

Not all functions are used in all pages, however, this file of
reusable functions is included in all of them. Only the clean_mysql
function gives me trouble because I cannot ensure a database

> In your select/insert/update class(es)/function(s), you could just use 
>prepare statement and bind param.  Thus, no need
> to escape the string to protect against injection.  It's also faster if by 
> chance you're doing several updates/inserts due
> to the nature of prepare statement.  You could use a call back function in 
> case you have a varying size array of
> parameters, making your code more adaptable and somewhat smaller.  I 
> generally prefer using prepare statement +
> bind param over escape string + query for speed and flexibility.
> http://www.php.net/manual/en/mysqli.prepare.php
> http://www.php.net/manual/en/mysqli-stmt.bind-param.php
> have good examples.

Thanks. Going through those pages, I see that it is not what I need.
It is good to know, though.

Dotan Cohen


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to