On 06/08/2012 10:31 AM, Govinda wrote:
Is it possible to have a "meeting of the minds" to come up with (an)
appropriate method(s)?
Minds, meet prepared statements :)
PDO is the way to go :D
Not to refute the above advice one bit (not to mention oppose the arguments
against escaping in general) ... but just curious - can anyone demo a hack
that effectively injects past mysqli_real_escape_string(), while using utf-8 ?
It may just be a matter of time (or already?) before mysqli_real_escape_string
is *proven* ineffective (w/utf-8) ... but here I am just attempting to gather
facts.
Thanks
-Govinda
Ah, but what if I use sqlite or postgres?
IMHO, the discussion needs to be a the best way to prevent SQL injection
across all possible DB types. Not just mysql.
--
Jim Lucas
http://www.cmsws.com/
http://www.cmsws.com/examples/
http://www.bendsource.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
