>hi >the mysql manual suggests that we use the >mysql_escape_string() function when generating dynamic >urls. is there any other situation when it is >required? and could someone explain when/why this >would be needed for urls...other than to make the >browser understand that character (such as ' # etc. in >the url).
>and if magic_quotes_gpc is on, any and all escape >characters are backslashed right? how does when check >what the accepted mysql escape characters are? (like >-- for a comment) >thanks >abs I leave magic quotes off and make a habit for using mysql_real_escape_string on any components of my query that are dynamic. So if I have the user enter a name to search for I would do: $query = "SELECT * FROM mytable WHERE username = '" . mysql_real_escape_string($userdata) . "'"; You should escape anything you do not trust. Regards, Mike Hillyer www.vbmysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]