Matthew Stuart said: > I am on my first MySQL DB and it is very text heavy because it is a > news site, therefore there is a great deal of use of the apostrophe > or as MySQL would see it the single quote. I was hoping to be able > to use double quotes to overcome the need to constantly have to > escape the apostrophe/single quote, and where speech marks or a > double quote is required, I was going to suggest that the editors > of the site use two single quotes. Is this going to cause me > problems?
You will probably soon be cursed by the editors. > Does this mean that when a user submits a html form with a name such > as 'O'Brien' the name is automatically escaped to 'O\'Brien'? Most middelware offers some option to do this automatically. Whether it is called magic quotes, bind variables or prepared statements depends on what middleware you are using, but the gist is that you identify to the database driver that you are passing variables instead of a long string, and that the database driver uses that knowledge to properly escape the variables. Pseudocode: sql = "SELECT perms FROM siteusers WHERE uname = ? and pword = ?"; sql(1, 'string') = $user; sql(2, 'string') = $password; Since you have explicitly told the driver that you are passing a string to be used at the location of the placeholder, the driver will validate and escape it for you. That means you can't forget that you not only need to escape single quotes but also backslashes anymore :-) > Would I be safer to use double quotes to enclose data, eg. "O'Brien"? Probably a 'best practices' implementation using the functionality of your middleware to automatically escape quotes and escape characters is the safest. Jochem -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
