Webgeek, could you explain why escaping is not a good option? When using MySQL, I always thought escaping quotes was the way to go. I change every ' to \' using addslashes(), and for numbers I usually multiply their value by 1 just to be sure (not in mysql off course, I do it in the php script). I really think this should be enough, unless someone can prove me wrong.
When it comes to using Access though, it's a different story. I'm not sure if this is typical for all versions of Access, but I know that at least some versions don't allow you to put quotes around numbers, making it impossible to properly escape input strings. So in that case, I usually use recordset.addnew for adding records, but for select it's a bit more tricky. Don't like access anyway, though. SQL Server is a bit better.
A Flash Developer Resource Site
Reply With Quote
