Am 19.09.2011 03:00, schrieb Hank: > I agree with Brandon's suggestions, I would just add when using numeric > types in PHP statements where you have a variable replacement, for instance: > > $sql="INSERT into table VALUES ('$id','$val')"; > > where $id is a numeric variable in PHP and a numeric field in the table, > I'll include the $id in single quotes in the PHP statement, so even if the > value of $id is null, alpha, or invalid (not numeric) it does not generate a > mysql syntax error
what ugly style - if it is not numeric and you throw it to the database you are one of the many with a sql-injection because if you are get ivalid values until there you have done no sanitize before and do not here $sql="INSERT into table VALUES (" . (int)$id . ",'" . mysql_real_escape_string($val) . "')"; or using a abstraction-layer (simple self written class) $sql="INSERT into table VALUES (" . (int)$id . ",'" . $db->escape_string($val) . "')"; all other things in the context of hand-written queries are all the nice one we read every day in the news and should NOT recommended because the next beginner reading this makes all the mistakes again
signature.asc
Description: OpenPGP digital signature