On Feb 17, 9:59 am, b...@wards.net (Bill Ward) wrote: > > You can be reasonably safe using inline params like that if you're careful > to make sure $q contains only the sort of characters that make sense for > your app, and/or if $q is quoted properly. You can use a regex to test that > it is only alphanumeric for example. It's just easier to guarantee safety > if you use bind values... but that's not always practical as you have > discovered. >
Don't use a regex. Use the ->quote() method. That's what it's for.
