Re: [PHP-DB] Re: [PHP] $_POST in MySQL query issue...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 17 Oct 2003, BAO RuiXian wrote:

> I see you can achieve this by two ways:
>
> 	1. Take out all the inside quotes (single or double) like the following:
>
> 	$sql="insert into $table set Name = $_POST[elementName]";

 This is bad.  Using no quotes MAY work, but it is considered a "BARE WORD"
 and not an actual string.

    $sql='insert into '.$table.' set Name = "'.addslashes($_POST['elementName']).'"';

 is the (more) correct way to do this.

> 	2. Use a temporary variable for $_POST[elementName], like $elementName
> = $_POST[elementName], then continute use your original SQL sentence
> when the register_globals was on.

 Waste (albeit very minor) of variable space.  Concat them.

Beckman
---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
beckman@purplecow.com                             http://www.purplecow.com/
---------------------------------------------------------------------------

-- 
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [PHP Database Programming]     [PHP Install]     [Kernel Newbies]     [Yosemite Forum]     [PHP Books]

  Powered by Linux