On Thu, Jan 8, 2009 at 12:18 PM, tedd <tedd.sperling@xxxxxxxxx> wrote: > At 9:17 AM -0500 1/8/09, Daniel Brown wrote: >> >> On Thu, Jan 8, 2009 at 09:10, tedd <tedd.sperling@xxxxxxxxx> wrote: >>> >>> $sql = "SELECT id FROM modules_permissions WHERE id = '$permissionId' "; >> >> I was going to ask something about sanity, but then I remembered >> with whom it is I'm speaking. ;-P >> >> That aside, don't forget your pre-database-interaction sanity. >> Even an explicitly internally-defined variable can have issues, so >> unless you're 100% certain that it will be safe, it's better to <?php >> mysql_real_escape_string($permissionId); ?>, et al. > > > Hey, if I were you I wouldn't be taking about sanity now that you have a > digestive system that has a two hour sleep cycle. :-) > > Yes, but the "pre-database-interaction sanity' (otherwise known as "knowing > what you're doing") goes without saying -- it's obvious -- that's like > saying "Make sure you're connected to the database before using > mysql_real_escape_string() function." > > In any event, you always should clean your variables before creating a query > like that. > > My post was about how overly complex the OP's query was -- after all, it's > just a very simple query. I didn't see any need for back-ticks or convoluted > quotes. If I was wrong, then I would like to know better. > > Cheers, > > tedd > I can take or leave the backticks. However, one of my pet peeves is comparing a string/varchar value to a numeric column. I know that most databases will implicitly convert the character value to an integer when the query executes. If the column is numeric, compare it to a number, not the best numeric interpretation that the database engine will implicitly decide for the string you provide. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
