On Mon, May 11, 2009 at 12:50 PM, Jan Luca jan@jans-seite.de wrote:
Hello,
should I use mysql_real_escape_string or do the DB class this automatically?
Gruß jan
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
It doesn't do it automatically, but we've abstracted it into the addQuotes() method that can do it for you (ie: don't call mysql_real_escape_string() yourself). This way it can be properly abstracted for systems other than mySQL.
Also, when using a LIKE, we've also got escapeLike() for sanitizing user input for %'s
-Chad