Matthew Sims wrote:
Your problem has nothing to do with the Objects (or really even PHP for that matter). You're not supposed to run mysql_escape_string on an entire query.
So I ran my $_POST array into array_map before the injection:
$_POST = array_map("mysql_escape_string","$_POST");
And it all worked on nicely.
That's a waste of resources when you're only using one value out of $_POST in your query. Why not just turn on magic_quotes_gpc and have the same effect?
I'd recommend some actual validation methods in your class. Something to ensure $_POST'd values are really integers within a range, strings of a certain length, etc and prepare them for insertion into a query.
-- ---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals – www.phparch.com
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php