List:General Discussion« Previous MessageNext Message »
From:Reindl Harald Date:September 19 2011 4:47am
Subject:Re: Quotes around INSERT and SELECT statements' arguments from the
mysql CLI and PHP
View as plain text  

Am 19.09.2011 03:00, schrieb Hank:
> I agree with Brandon's suggestions, I would just add when using numeric
> types in PHP statements where you have a variable replacement, for instance:
> 
> $sql="INSERT into table VALUES ('$id','$val')";
> 
> where $id is a numeric variable in PHP and a numeric field in the table,
> I'll include the $id in single quotes in the PHP statement, so even if the
> value of $id is null, alpha, or invalid (not numeric) it does not generate a
> mysql syntax error

what ugly style - if it is not numeric and you throw it to the database
you are one of the many with a sql-injection because if you are get
ivalid values until there you have done no sanitize before and do not here

$sql="INSERT into table VALUES (" . (int)$id . ",'" . mysql_real_escape_string($val) .
"')";
or using a abstraction-layer (simple self written class)
$sql="INSERT into table VALUES (" . (int)$id . ",'" . $db->escape_string($val) . "')";

all other things in the context of hand-written queries are all the nice one we read every
day in the news and should NOT recommended because the next beginner reading this makes
all
the mistakes again



Attachment: [application/pgp-signature] OpenPGP digital signature signature.asc
Thread
Quotes around INSERT and SELECT statements' arguments from the mysqlCLI and PHPDotan Cohen18 Sep
  • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPBrandon Phelps18 Sep
    • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen18 Sep
      • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPHank19 Sep
        • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPReindl Harald19 Sep
          • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen19 Sep
          • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPHank19 Sep
            • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPReindl Harald19 Sep
              • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen19 Sep
                • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPHank20 Sep
                  • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen20 Sep
                    • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPReindl Harald20 Sep
                      • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen20 Sep
                      • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen20 Sep
                        • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPReindl Harald20 Sep
                    • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPHank20 Sep
                      • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen20 Sep
        • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen19 Sep