Richard Lynch wrote: > Should one be ultra-conservative and just do: > $foo_sql = mysql_real_escape_string($connection);
I don't consider this (escaping) to be particularly conservative; it's appropriate for any data you want to use in an SQL query that's being sent to MySQL. Filtering is different - making sure something is what you expect. Escaping makes sure that something isn't mistaken for something else in a different context, and mysql_real_escape_string() takes character encoding into consideration, protecting you against edge cases like this: http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string Hope that helps. Chris -- Chris Shiflett http://shiflett.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
