OK, I know they reckon using things like parameterised queries is best, and
that's what have done in past with things like MSSQL server, etc., but only
issue is I would like to be sure all instances of a mySQL server would
support this, aside from checking PHPInfo all the time, but let me look
Hi Jacob,
Yes, you need to do more than just using mysql_real_escape_string()
solely. I recommend the book "SQL Antipatterns: Avoiding the Pitfalls
of Database Programming" by Bill Karwin
http://www.amazon.com/SQL-Antipatterns-Programming-Pragmatic-Programmers/dp/1934356557
--
PHP Windows Maili
Just wondering if anyone else specifically does more than using
mysql_real_escape_string function to check freely entered text values before
processing queries to a mysql database as such?
Stay well
Jacob Kruger
Blind Biker
Skype: BlindZA
'...fate had broken his body, but not his spirit...'
