Posted on 2007-03-27
i'm trying to do this:
$query = "SELECT * FROM $tbl_name WHERE Date = '$this_date'";
which outputs this:
SELECT * FROM tblMyTable WHERE Date = '2007-03-27'
and of course that works fine...
however when i do this:
$query = "SELECT * FROM %s Where Date = %s";
$query = mysql_real_escape_string(sprintf($query, $tbl_name, $this_date));
it outputs this:
SELECT * FROM tblMyTable WHERE Date = \'2007-03-27\'
and that doesn't work
i thought that was the safe way to handle queries.
is that not ok because...... when i call mysql_query it will escape the quotes again?
so if i want to be careful, i should use mysql_real_escape_string directly on the variables i'm worried about and do NOT escape the query string.
thanks VERY MUCH for your help