At 10:46a -0500 on 20 Dec 2007, Bill Moran wrote:
> In response to Erik Jones <erik@myemma.com>:
>>> In php is there a postgresql version of mysql_real_escape_string() ?
>> You have both pg_escape_string and pg_escape_bytea available.
>
> Is there a mysql_fake_escape_string()? Should PostgreSQL have a
> pg_pretend_to_escape_string() that effectively does nothing?
Haha! Awesome! You should "count it," Bill.
Serious now, who writes the code for those PHP functions? Is that a
call that PHP makes to the respective database or does someone actually
continually keep the PHP code "up-to-date"?
Second question: why is there not more emphasis on using prepared
statements? I was taught at $SCHOOL that prepared statements,
especially for anything involving unknown user input, is the Right Way.
Am I missing something or is the lack of use of these just a noob factor?
Thanks,
Kevin