Call to undefined function sqlite_escape_string()

webvandals

I'm using PHP5.2 and SQLite3 with PDO. It seems like the PHP devs in their wisdom have removed functionality for all of the old sqlite functions, including the one that prevents SQL injection attacks. So how the heck am I supposed to ensure that my data is clean before inserting it using PDO? Anyone got any insight on this?

Weedpacket

PDO has named parameters (see [man]pdo-prepare[/man] for an example); character escaping is already built into the PDO driver.

If you want to use the SQLite 2 procedural interface, you need to actually do some installation. After all, since all the functionality is supplied through PDO, why duplicate it if you don't have to?

MarkR

You can either do as Weedpacket says (prepared queries are the most sound way of preventing SQL injection), or use the PDO->quote() method.

Mark