On July 12, 2009 08:52:56 am Haig Dedeyan wrote:
> At 6:39 PM -0400 7/11/09, Haig Dedeyan wrote:
>
> [1]
>
> >mysql_query("INSERT INTO phonedir
> >(fname, lname) VALUES('$new_fname','$new_lname')")
> >or die(mysql_error());
> >
> >or
>
> [2]
>
> >mysql_query("INSERT INTO phonedir
> >(fname, lname)
> >VALUES('".mysql_real_escape_string($new_fname)."','".mysql_real_escape_str
> >ing($new_lname)."')") or die(mysql_error());
>
> I always do [1] and NOT [2].
>
> The reason for this is that when I clean and scrub data prior to
> insertion, I may do more than pass it through a
> mysql_real_escape_string() function.
>
> For example, I may want to trim() it; or check if it's a valid email
> address; or check if it's a number; or do any number of other checks
> prior to insertion. I don't want to place all those functions into a
> query, so why place one?
>
> Lastly, I think [1] is easier to read than [2].
>
> That's my take.
>
> Cheers,
>
> tedd
>
> --
> -------
> http://sperling.com http://ancientstones.com http://earthstones.com
Thanks. Yes I agree [1] is the better way to go.
After reading Nisse's response, it looks like the backslashes are never stored
in the table so all is good for me.
Thanks to everyone to helped out.
Cheers
Haig
