Dotan Cohen wrote:
On 23/01/2008, mike <[EMAIL PROTECTED]> wrote:
It would be Real Nifty (tm) if the MySQL API had a function that let
you specify the charset without a connection and did the escaping.

Presumably you don't NEED a connection if you already know what
charset thingie you are aiming at...
I concur - it would be nice to have the capability to have a normal
string escape function and give it a character set. I mean we should
all be using utf-8 anyway, right?

I'd be interested in hearing an argument against UTF-8, other than the
disk space argument.

Right now I still use mysql_escape_string and it seems to work fine,
but it makes me nervous as everything else I use is mysqli and I know
it is not 100% compatible (just haven't had anything break it yet) -
but I hate having to have a connection handle open just to escape
things.

I think it was here on this list that we saw an example of SQL
injection despite the use of mysql_escape_string. Some funky Asian
charset was used, no?

Nope.

This article explains all I think:

http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html

--
Postgresql & php tutorials
http://www.designmagick.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to