On Fri, 17 Oct 2003, BAO RuiXian wrote:
> I see you can achieve this by two ways:
>
> 1. Take out all the inside quotes (single or double) like the following:
>
> $sql="insert into $table set Name = $_POST[elementName]";
This is bad. Using no quotes MAY work, but it is considered a "BARE WORD"
and not an actual string.
$sql='insert into '.$table.' set Name = "'.addslashes($_POST['elementName']).'"';
is the (more) correct way to do this.
> 2. Use a temporary variable for $_POST[elementName], like $elementName
> = $_POST[elementName], then continute use your original SQL sentence
> when the register_globals was on.
Waste (albeit very minor) of variable space. Concat them.
Beckman
---------------------------------------------------------------------------
Peter Beckman Internet Guy
[EMAIL PROTECTED] http://www.purplecow.com/
---------------------------------------------------------------------------
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
