David Vallner
10/25/2006 10:27:00 PM
Hugh Sasse wrote:
> MySQL needs backticks `` for strings. Coming from Unix this was something
> I didn't expect.
Since it works for the strings 'check', that's obviously not the problem.
Also, I'd use a database API that supports parameter placeholders and
does query escaping for you.
Interpolating a string to get a SQL query is Bad (tm). Google around for
"sql injection", "pain", "anguish", "death" (right, some of those aren't
really related).
If anything, use Mysql.escape on strings first at the very least.
David Vallner