At 9:17 AM -0500 1/8/09, Daniel Brown wrote:
On Thu, Jan 8, 2009 at 09:10, tedd <tedd.sperling@xxxxxxxxx> wrote:
$sql = "SELECT id FROM modules_permissions WHERE id = '$permissionId' ";
I was going to ask something about sanity, but then I remembered
with whom it is I'm speaking. ;-P
That aside, don't forget your pre-database-interaction sanity.
Even an explicitly internally-defined variable can have issues, so
unless you're 100% certain that it will be safe, it's better to <?php
mysql_real_escape_string($permissionId); ?>, et al.
Hey, if I were you I wouldn't be taking about sanity now that you
have a digestive system that has a two hour sleep cycle. :-)
Yes, but the "pre-database-interaction sanity' (otherwise known as
"knowing what you're doing") goes without saying -- it's obvious --
that's like saying "Make sure you're connected to the database before
using mysql_real_escape_string() function."
In any event, you always should clean your variables before creating
a query like that.
My post was about how overly complex the OP's query was -- after all,
it's just a very simple query. I didn't see any need for back-ticks
or convoluted quotes. If I was wrong, then I would like to know
better.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
