On Thu, 2005-03-17 at 12:50 -0500, Peter Jay Salzman wrote: > Without using sqlite_escape_string, single quotes cause "SQL Logic or > missing database" errors. So I'm forced to use that function on variables > set via a form. > > But then to avoid the "backslash in the data" problem, I need to use > stripslashes on the variables I'm about to write to the database. > > But just in case a user has magic_quotes_gpc set off, I need to test that > function and then decide whether to use stripslashes() or not. > > Problem solved, but the solution is kind of, well, "icky". >
In the TCL bindings for SQLite, no quoting of variable contents is needed. You say say something like this: db eval {INSERT INTO table1 VALUES($var1,$var2)} The TCL bindings see the $var1 and $var2 in the SQL code, reach in to TCL and extract the values of corresponding variables, then use sqlite3_bind_... to pass those values directly to SQLite without the need for any escaping or quoting. The technique is also very fast since it avoids unnecessary copying of the string text. The whole approach works very very well. The same idea would, in theory, work with PHP. I suggested as much to the PHP developers, saying I thought it would make the interface much simpler. But the idea was rejected. -- D. Richard Hipp <[EMAIL PROTECTED]>