On Tue, Sep 20, 2011 at 01:11, Hank <hes...@gmail.com> wrote:
> Best of both worlds:
>> $username=$_POST['username'];
>> // do some stuff with username here
>> $M=array(); // Array of things to be inserted into MySQL
>> $M[username]=mysql_real_escape_string($username); // Everything that
>> goes into $M is escaped
>> $query="INSERT INTO table (username) VALUES ('{$M[username]}')";
>>
>>
> I'm not sure I'm seeing why, in particular, you are using an array here?
>
I want to be sure that all variables in the query are escaped. I don't
trust myself or anyone else to do this to every variable right before
the query:
$someVar=mysql_real_escape_string($someVar);
Furthermore, I don't want to clutter the query with
mysql_real_escape_string() all over the place. Therefore, I escape
everything before it goes into the array, so I know that all the data
in the array have been escaped. I can then use the array members in
the query.
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=arch...@jab.org
