It is by accident that I noticed that I forgot to use
mysql_real_escape_string in part of my webapp.
I tested input with following text : H=E9l=E8ne 51=B056'12'' http://www.mys=
ite.org/folder
3 functions worked correctly and 1 failed:
The one that failed didn't have mysql_real_escape_string and neither
did 2 of the ones that worked: in those 2 I used prepared sql
statements (PEAR DB package). The other that I used was with
mysql_real_escape_string.
So my question: can you do without mysql_real_escape_string when using
prepared sql statements with PEAR DB-package or PDO ?
For PDO apparently you can when you use quote() and prepared
statements.
Pugi
