> I prefer PHP Data Objects http://in3.php.net/manual/en/book.pdo.php to > addslashes and mysql_real_escape_string
I prefer PDO myself. However, it is not necessarily safer. When using prepared statements the parameters are automatically escaped similar to mysql(i)_real_escape_string, if my reading of the documentation is correct. But as far as I can tell no escaping is performed on PDO::query or PDO::exec other than what you do yourself, so you have the same risks that need to be addressed. > -- Niel Archer niel.archer (at) blueyonder.co.uk -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
