Re: [SQL] What do I need to escape in an Insert ?

>I currently use the PHP's addlashed function, is it enought ?

1.  PHP's addslashes function was written for this express purpose, and it
is exactly what you want.  It has been debugged by professionals who know
what they are doing, and has been tested thoroughly by hundreds, if not
thousands, of users.  It is also optimized to be a bizillion times faster
than any regex or PHP code you could possibly come up with.

2.  PHP also has a setting in its php3.ini file which turns on "magic
quotes".  This feature automagically does addslashes to every piece of data
at some point, and maybe removes them at some other point, which is
probably why everything has just been working for you by magic.  I think
the slashes are added during the parsing of the GET/POST/COOKIE parameters.

The novice user frequently doesn't worry about "'/ etc, and PHP covers for
them.  When you really need to output the raw string PHP is throwing
around, you can simply addslashes to the already addslashed string, which
would then display the first set of slashes.

Experts can also turn off addslashes for a miniscule performance gain, and
call addslashes on only the data being sent to a database or webpage.  Of
course, any old scripts need to be checked throroughly for dependencies on
the "magic quotes" function.

If you arbitrarily called addslashes on something that PHP had already
applied addslashes to because of the "magic quotes" feature, it would
probably break things.  Don't do that.  Figure out what "magic quotes"
does, and then what addslashes does, and when/why you would want to use it.

If it's working for you, then just trust the PHP developers to know what
they are doing.  They do.  IE  If it ain't broke, don't fix it.  :-)

Documentation on both of these is available at the extremely well-organized
and multiply-mirrored website:  www.php.net

--
--
-- "TANSTAAFL" Rich lynch@lscorp.com