[eluser]behnampmdg3[/eluser]
Hi;
Escaping only works within a quoted SQL string. It prevents the user from breaking out of this string. In this SQL below since I insert the value directly into the query without quoting it, the escaping is completely pointless. It has no effect at all. And if it did, you'd break the query. Because then you'd have an IN expression with a single big string in it.
How can I quote and escape the invidual IDs?
Code:
$sql = "SELECT
*
FROM ad_have
INNER JOIN members
ON members.id = ad_have.member_id
INNER JOIN au_postcodes
ON au_postcodes.id = ad_have.suburb
LEFT OUTER JOIN
(SELECT ad_ID, ad_have_photo.photo FROM ad_have_photo GROUP BY ad_ID) AS Q_PHOTO ON Q_PHOTO.ad_ID = ad_have.id
WHERE ad_have.active = 'y'
AND ad_have.id IN ".$this->db->escape_str($ad_ids)."
AND ad_have.weekly_rent > 0
ORDER BY ad_have.id DESC ";
