On Sat, Dec 25, 2004 at 12:18:50AM -0500, Peter Jay Salzman wrote:
> This piece of code kept giving error messages that looked like some of my
> VALUES were getting parsed by php:
>
>
> sqlite_query( $handle, "
> INSERT INTO course VALUES (
> sqlite_escape_string($semester),
> sqlite_escape_string($course),
> sqlite_escape_string($course_desc),
> sqlite_escape_string($college),
> sqlite_escape_string($reference)
> )
> ");
<snip>
> I want to do the Right Thing. It seems like using a built in function to
> escape strings would be the preferable way of doing this. I was surprised
> to see it not work, but even more surprised that just normal quoting worked.
>
> Am I not using sqlite_escape_string() correctly?
no, you're not.
sqlite_query($db, "INSERT INTO whints (whid, whregex, "
. "whcatid) VALUES (NULL, '" . sqlite_escape_string($val) . "', '"
. sqlite_escape_string($_REQUEST["whcatid_new"]) . "')");
since your questions are more php-related than sqlite-related, please
consider sending them to a php related mailing list:
http://www.php.net/mailing-lists.php