Re: sql injection
- Posted by Matt Lewis Jul 13, 2008
- 717 views
Jeremy Cowgar said...
That's really a job for the database library you are using because different database servers escape characters differently. Some may use '' to escape a single quote, others will use \'. Now, the way I did it in my unfinished DBI library was to allow you to do things such as:
If I read this correctly, you're taking an escape approach, rather than using parameters? What about prepared statements?
Matt