> IMO the best way to do this is to use bind
> parameters to pass user input
> to queries. Then you don't need to escape anything.
> You might still check
> for very long strings.
this got me thinking... is this what you are talking
about (i use ADOdb)?
$db->Execute("INSERT INTO t_customer (customer_name,
customer_entry_date) VALUES (?,?)",
array($customer_name, $db->DBDate(time())));
$customer_name is the validated input from the user
with no escaping of any kind. is this ok?
this query works just dandy. does it mean i can start
sleeping at night? -lol-
____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs