Skip Evans wrote: > Hey all, > > Okay, I'm looking all through the PDO docs on > php.net, but am unable to find the SQLite > equivalent to the MySQL function > > mysql_real_escape_string() > > in case, among other things, a text field contains > single quotes, etc. > > How is this done in SQLite? I'm still scouring the > the docs but having no luck. > > Does it have something to do with > > $dbh->prepare() > > ...or am I on the wrong track with that one?
As mentioned above the BEST way to do it is with prepared statement and bound variables. If you have to use raw SQL then just use the PDO::quote method: http://php.web-ster.com/manual/en/pdo.quote.php $conn = new PDO('sqlite:/home/lynn/music.sql3'); $string = 'Nice'; print "Quoted string: " . $conn->quote($string) . "\n"; I'm open to discussion about whether or not this is this is still vulnerable to SQL injection. -- Scott Baker - Canby Telcom RHCE - System Administrator - 503.266.8253 _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
