On Sat, May 17, 2008 at 09:30:19AM -0500, Skip Evans scratched on the wall:
> Okay, I'm looking all through the PDO docs on > php.net, but am unable to find the SQLite > equivalent to the MySQL function > > mysql_real_escape_string() > > in case, among other things, a text field contains > single quotes, etc. Ugg... a wonderful example of how not to do things. Functions like this shouldn't exist. > How is this done in SQLite? I'm still scouring the > the docs but having no luck. > > Does it have something to do with > > $dbh->prepare() > > ...or am I on the wrong track with that one? The proper way to deal with such things is to bind the strings to a prepared statement. Bound parameters are never passed through the SQL parser, making it impossible to create an SQL injection. It took me all of 30 seconds to Google an example of when something like mysql_real_escape_string() breaks: http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html -j -- Jay A. Kreibich < J A Y @ K R E I B I.C H > "'People who live in bamboo houses should not throw pandas.' Jesus said that." - "The Ninja", www.AskANinja.com, "Special Delivery 10: Pop!Tech 2006" _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
