On Fri, 18 Mar 2005 10:57:34 -0500 [EMAIL PROTECTED] (Peter Jay Salzman) wrote: > Obtech: I tried to consolidate my knowledge of PHP, magic quotes, and > SQL. This is my complete understanding on the topic: > > http://www.dirac.org/linux/sql_quoting.html > > If someone has the time to comment on it and tell me whether I got it > right or wrong, I'd appreciate it. (This is what I was trying to read > about when I stumbled onto the avatar above). > > Pete
Does PHP not have ?-parameter substitution (so you can say
SELECT * FROM table WHERE stringattribute=?
and substitute the ? with a string that is properly quoted according to
the language conventions?
For example, in Java
java.sql.Connection c;
//initialize this however you need to connect to the database
java.sql.PreparedStatement s=c.prepareStatement(
"SELECT * FROM table WHERE stringattribute=?"
);
s.setString(1,"It's easy to see that you couldn't embed "+
"this in the statement itself");
java.sql.ResultSet r=s.executeQuery();
This is probably the best way to avoid excaping problems.
--Ken Bloom
--
I usually have a GPG digital signature included as an attachment.
See http://www.gnupg.org/ for info about these digital signatures.
pgp4CvbYxs1IA.pgp
Description: PGP signature
_______________________________________________ vox-tech mailing list [email protected] http://lists.lugod.org/mailman/listinfo/vox-tech
