Tobias Burnus wrote:Why don't you use mysql_escape_string(...)? http://de.php.net/manual/en/function.mysql-escape-string.php
Why not just use PEAR::DB as recommended in the book "Essential PHP Security", as it handles multiple SQL interfaces and escapes the data automatically for you, appropriately for the type of database you're using.
http://www.devshed.com/c/a/PHP/Accessing-Databases-with-DB/2/
