On 21 Jul 2017, at 11:14, Rowan Worth <row...@dug.com> wrote: > On 21 July 2017 at 17:50, Tim Streater <t...@clothears.org.uk> wrote: > >> $sql = "UPDATE Movies SET name = '$newname' where id=$newid"; >> >> Personally I don't like forcing PHP to scan strings so I tend to use >> concatentation, rewriting the last of these as: >> >> $sql = 'UPDATE Movies SET name = '' . $newname . '' where id=' . >> $newid; >> >> but that's just a personal style preference. >> > > Either way, I hope for your sake no one releases a movie called: > Avengers!'; Drop Table Movies; --
That’s going to be a problem anyway if your strings can legally contain single-quotes, never mind little Bobby Tables. Sanitisation is called for. > As Simon says, better to use something like $sql = 'UPDATE Movies SET name > = ? WHERE id = ?' and bind your parameters in. Not disagreeing, but I was operating on the first-things-first principle. -- Cheers -- Tim _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
