Well, I've been reading 2 hours about mysql_real_escape() and addslashes() and stuff, but my question is: how can I do this to work with PDO and be completely safe?
1 Answer
You can do this using prepared statements. Example:
// $pdo = new PDO(...);
$query = $pdo->prepare('SELECT * FROM table WHERE name = ?');
$query->execute(array($_GET['name'])); // Replaces ? with the
// value in $_GET['name']
You don't have to worry about manually escaping any user inputed data, such as $_GET['name'] in the example above.
mysql_real_escape_string(). It would probably be best if you could show an example of what you're trying to do