At 6:39 PM -0400 7/11/09, Haig Dedeyan wrote:
[1]
mysql_query("INSERT INTO phonedir
(fname, lname) VALUES('$new_fname','$new_lname')")
or die(mysql_error());
or
[2]
mysql_query("INSERT INTO phonedir
(fname, lname)
VALUES('".mysql_real_escape_string($new_fname)."','".mysql_real_escape_string($new_lname)."')")
or die(mysql_error());
I always do [1] and NOT [2].
The reason for this is that when I clean and scrub data prior to
insertion, I may do more than pass it through a
mysql_real_escape_string() function.
For example, I may want to trim() it; or check if it's a valid email
address; or check if it's a number; or do any number of other checks
prior to insertion. I don't want to place all those functions into a
query, so why place one?
Lastly, I think [1] is easier to read than [2].
That's my take.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
