On 19/04/2012 20:30, Yvon Thoraval wrote:
>
>
> 2012/4/19 Raymond O'Donnell <rod@iol.ie <mailto:rod@iol.ie>>
>
> Or better still - and easier - use parametrised queries.
>
>
>
> Right it is easier something like :
> $sql = "categories (idx, ctime, mtime, name) VALUES ( :idx, :ctime,
> :mtime, :name);";
> $prep = $db->prepare($sql);
> $prep->execute( array(':idx' => $_GET['idx'], ':ctime' => $ctime,
> ':mtime' => $mtime, ':name' => $name));
>
> no more need to $db->quote() in that case, as :
> $name = $db->quote($name);
> ???
> I mean, even if $name = "L'envers" ? (ie. with a ' in it ?)
Yep - no need to worry about quoting if you use parameters - it's all
done for you. It's also MUCH safer, as it makes SQL injection attacks
much harder (if not impossible).
Ray.
--
Raymond O'Donnell :: Galway :: Ireland
rod@iol.ie