On Fri, Aug 26, 2005 at 15:40:02 -0700,
operationsengineer1@yahoo.com wrote:
> > IMO the best way to do this is to use bind
> > parameters to pass user input
> > to queries. Then you don't need to escape anything.
> > You might still check
> > for very long strings.
>
> this got me thinking... is this what you are talking
> about (i use ADOdb)?
>
> $db->Execute("INSERT INTO t_customer (customer_name,
> customer_entry_date) VALUES (?,?)",
> array($customer_name, $db->DBDate(time())));
>
> $customer_name is the validated input from the user
> with no escaping of any kind. is this ok?
>
> this query works just dandy. does it mean i can start
> sleeping at night? -lol-
Yes this is the idea. Bad data for the values can't execute unexpected SQL
commands; it can only cause the query to fail.