On Fri, 17 Oct 2003, BAO RuiXian wrote: > I see you can achieve this by two ways: > > 1. Take out all the inside quotes (single or double) like the following: > > $sql="insert into $table set Name = $_POST[elementName]"; This is bad. Using no quotes MAY work, but it is considered a "BARE WORD" and not an actual string. $sql='insert into '.$table.' set Name = "'.addslashes($_POST['elementName']).'"'; is the (more) correct way to do this. > 2. Use a temporary variable for $_POST[elementName], like $elementName > = $_POST[elementName], then continute use your original SQL sentence > when the register_globals was on. Waste (albeit very minor) of variable space. Concat them. Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@purplecow.com http://www.purplecow.com/ --------------------------------------------------------------------------- -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php