> At 16:19 17-6-03, you wrote:
> >$sql = 'select * from db where apple = \'' . $_POST['foo'] . '\';';
> >Like that?
> you missed some quotes:
> $sql = 'select * from db where apple = \''' . $_POST['foo'] . '\'"';
Go back and count the quotes again. The original post is correct as far as
quotes go. Yours is not, though, since you have three single quotes in a row
and have thrown in a double quote by itself.
Without color coding, this is all very hard to tell. That's why I prefer to
do it such as:
$sql = "SELECT * FROM db WHERE apple = '{$_POST['foo']}' ";
or, like someone else said, the following is perfectly valid:
$sql = "SELECT * FROM db WHERE apple = '$_POST[foo]' ";
There are way to many methods to do this, though, so just use the one that
makes the most sense to you. I've changed my mind about this a few times in
the past. :)
---John Holmes...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
