When using this, do you have use use sprintf? IE:
[code=php]
sprintf(“INSERT INTO products (`name`, `description`, `user_id`) VALUES (‘%s’, ‘%s’, %d)”,
mysql_real_escape_string($product_name, $link),
mysql_real_escape_string($product_description, $link),
$_POST[‘user_id’]);
or is it also safe to do this:
[code=php]
$sql = “INSERT INTO products (`name`, `description`, `user_id`) VALUES (‘”.mysql_real_escape_string($product_name, $link).”‘, ‘”.mysql_real_escape_string($prodcut_description, $link).”‘, “.$_POST[‘user_id’].”);”;
I would assume both would be appropriate.. But I have been proven wrong before ^_^
thanks
Kyle