On 10/26/2011 07:20 AM, Rick Dwyer wrote: > Hello all. > > I inherited some PHP pages about a year ago. They have been fine all > along but now a bunch of erroneous errors and results are popping up. I > traced it to the way the variables were being used on the page... for > example, the following SQL statement (a space between ' and " for clarity): > > > sql="select name from mytable where name=$myvar and display='yes' "; > > This has worked in the past but is now returning errors for some records > and working for others. I changed the above to the following and now > all is good: > > sql="select name from mytable where name=' ".$myvar." ' and > display='yes' "; > > What would explain why the former is suddenly causing problems? The > version of PHP is 5.2.3 and from what I can tell, hasn't been updated > since February of 2011. > > Thanks, > > --Rick > > In addition to escaping the var with mysql_real_escape_string() or similar, values for text columns need to be quoted as you did in your second example. consider this as a name: name=Shawn McKenzie Without quoting, the space breaks the query, so it would need to be: name='Shawn McKenzie' And the escaping would take care of: name='Tip O'Neill' -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
