> "Note: If this function is not used to escape data, the query is > vulnerable to SQL Injection Attacks." > > Does that necessarily imply this: > "If this function is used to escape data, the query is not vulnerable > to SQL Injection Attacks."? > > Logically, it does _not_ mean the same thing.
Definitely not -- it would be a bit presumptuous to claim "If you do X, the query is not vulnerable to SQL injection attacks" for just about any value of X. That said, I would recommend binding parameters if you can. It's a cleaner way of separating the logic of a query from its data, and theoretically more reliable than mysql_real_escape_string(): http://en.wikipedia.org/wiki/SQL_injection#Parameterized_statements Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
