Sherwin Ang writes:
> another approach is using the str_replace() function, just replace the > single quote ' with two single quotes '' and database inserts should be > fine. Very funny. Let's say you're making this query: DELETE FROM t1 WHERE str_field = '$value' with your way of doing things, the user would just have to supply the value "\' OR 1" to turn the query into DELETE FROM t1 WHERE str_field = '\'' OR 1 which would delete every single row in the table. If there weren't a good reason for addslashes() to exist, it probably wouldn't. //C - paranoid, but for good reasons -- Carl Troein - Círdan / Istari-PixelMagic - UIN 16353280 [EMAIL PROTECTED] | http://pixelmagic.dyndns.org/~cirdan/ Amiga user since '89, and damned proud of it too. --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
