On 18 Mar 2013, at 15:08, Matijn Woudt <tijn...@gmail.com> wrote:
> On Mon, Mar 18, 2013 at 2:19 PM, Sebastian Krebs <krebs....@gmail.com>wrote:
>> 2013/3/18 Ken Robinson <kenrb...@rbnsn.com>
>>> On 18.03.2013 09:10, Norah Jones wrote:
>>>> I am having an string which was have few ' (single quote) and few "
>>>> (double quotes) and was not able to insert into the mysql database. I
>>>> have replaced them with \' and \" and everything is fine.
>>>> Though this are fine now but don't understand the working and I could
>>>> have missed few corner cases also. Please suggest the working and also
>>>> if there is some better way to achieve this.
>>> You should be using either mysql_real_escape_string or
>>> mysqli_real_escape_string (preferably the later) depending on how you're
>>> accessing the DB.
>> You shouldn't use ext/mysql at all!
>> Use prepared statements with PDO_MYSQL or MySQLi
> And here comes the flame war again...
There's no need for it to be a flame war. The mysql extension is officially not
recommended for writing new code, so anyone using it should be informed of this
fact. I think it should consist of more than "don't use that," but at the very
least that should cause the questioner to want to know why.
This issue is problematic for exactly the reason Norah demonstrates above:
"it's working." Great that in this case it hasn't been left at that, but most
will see it work and think they've "got it right." I believe the community has
a responsibility to give good advice and recommend best practices as well as
directly addressing people's problems, so it's right that things like this get
repeatedly pointed out where appropriate.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php