I think the first code you had was fine, because the data manager escapes the string before including it in a query. In fact it looks like it also calls clean() on it, so you probably wouldn't even have to do that.
I think you still should consider what you do wth the string when you get it back from the database, because although it was escaped to make it safe in a query, it hasn't necessarily been made safe for any purpose.
|