> I assumed the reason you wanted to do escape the string so that you could > perform DB operations.
Yes, that is my intention. However, the function is found in an include file of functions used in many different scripts, each of which connect to a different database or may not connect to a database at all, so I cannot rely on there existing a database connection. The workaround would be to include this particular function in a separate include file to only be included when a database connection is present, but I would like to find a better way as I find it most maintainable to have all my reused functions in a single file. To give you an idea, the file contains these funtions: function clean_mysql ($dirty) function clean_html ($dirty) function make_paginated_links_menu ($pages, $difference) function obfuscate_email_address ($address) Not all functions are used in all pages, however, this file of reusable functions is included in all of them. Only the clean_mysql function gives me trouble because I cannot ensure a database connection. > In your select/insert/update class(es)/function(s), you could just use >prepare statement and bind param. Thus, no need > to escape the string to protect against injection. It's also faster if by > chance you're doing several updates/inserts due > to the nature of prepare statement. You could use a call back function in > case you have a varying size array of > parameters, making your code more adaptable and somewhat smaller. I > generally prefer using prepare statement + > bind param over escape string + query for speed and flexibility. > > http://www.php.net/manual/en/mysqli.prepare.php > http://www.php.net/manual/en/mysqli-stmt.bind-param.php > > have good examples. > Thanks. Going through those pages, I see that it is not what I need. It is good to know, though. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php