Ah, ic. Mh, why wouldn't a function like that function without a db
connection? Does it use the db? Isn't that less efficient? I might just use
str_replace, because i can't think of any way that one could get a sql
injection into
str_replace("'", "\\\'", $value); // might need to replace a literal \ too.
If you can, please enlighten me.
Maybe if they enter something like \c ?? Like one of the mysql special
commands? But if it's inside a string literal??
Thanks a lot, i would have never thought about that.
Will try.
Tim-Hinnerk Heuer
http://www.ihostnz.com
George Burns - "I would go out with women my age, but there are no women my
age."
2009/2/21 Ross McKay <ro...@zeta.org.au>
> On Sat, 21 Feb 2009 19:19:44 +1300, t...@ihostnz.com wrote:
>
> >Can anyone here tell me why mysql_real_escape_string("asdasddas") returns
> an
> >empty string?
>
> Have you opened a connection to a MySQL database? It won't work without
> an open connection.
> --
> Ross McKay, Toronto, NSW Australia
> "Let the laddie play wi the knife - he'll learn"
> - The Wee Book of Calvin
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
