09-19-2007, 09:04 PM
|
#9 (permalink)
|
|
Moderateur
Join Date: Apr 2007
Posts: 1,377
Thanks: 5
|
To to clarify Wildhoney's post. You don't want to mysql_real_escape_string the entire SQL query all in one go. It is only intended to escape portions of user input (generally the values of columns).
PHP Code:
$szTitle = ... (from $_POST, $_GET, etc?)
$szSafeSQL = sprintf('SELECT * FROM myTable WHERE title = "%s"',
mysql_real_escape_query($szTitle));
|
|
|
|