[eluser]loonychune[/eluser]
Thanks for that I hadn't looked much at the input class...
However, it's not very helpful in this scenario.
It has no effect on a string like:
Code:
a", 'b') or aes_encrypt("jim", @salt) = aes_encrypt("jim
which will break the SQL query I posted if entered into the password input box.
I guess I should have better known what I wanted to know -- and that's, does setting the third parameter to FALSE in the where() function have the effect of removing backticks AND NOT escaping quotes... the answer is yes
so it's escape_str() or escape() to clean up before querying