Re: SQL safe input?

> IMO the best way to do this is to use bind
> parameters to pass user input
> to queries. Then you don't need to escape anything.
> You might still check
> for very long strings.

this got me thinking...  is this what you are talking
about (i use ADOdb)?

$db->Execute("INSERT INTO t_customer (customer_name,
customer_entry_date) VALUES (?,?)",
array($customer_name, $db->DBDate(time())));

$customer_name is the validated input from the user
with no escaping of any kind.  is this ok?

this query works just dandy.  does it mean i can start
sleeping at night?  -lol-





____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs