|Question: reccommend me please universal approach of special chars escaping that will works with any database|
$sql="INSERT INTO table (field, field2) VALUES ('$value', '$value1')";
$value and $value1 is GET or POST, any. I have to escape special chars for safe.
For mySQL it looks $value=addslashes($value);
But when I tried it for Oracle my text was writed in database with backslashes.
If I want to create databaseindependent software I have to write
if ($metabase->database_type=='mysql') $value=addslashes($value);
if ($metabase->database_type=='oci') $value= str_replace("'", "''", $value);
It approach is bad becouse I have to list each database type. And str_replace('"', '""', $value) is strongly depended for query quotes: if I'll write
$sql='INSERT INTO table (field, field2) VALUES ("$value", "$value1")';
It would be error.
How may I write database independent code? My Oracle knowledges is weak, may be I don't know how escaping works with Oracle?