| List: | General Discussion | « Previous MessageNext Message » | |
| From: | Reindl Harald | Date: | September 19 2011 4:47am |
| Subject: | Re: Quotes around INSERT and SELECT statements' arguments from the mysql CLI and PHP | ||
| View as plain text | |||
Am 19.09.2011 03:00, schrieb Hank: > I agree with Brandon's suggestions, I would just add when using numeric > types in PHP statements where you have a variable replacement, for instance: > > $sql="INSERT into table VALUES ('$id','$val')"; > > where $id is a numeric variable in PHP and a numeric field in the table, > I'll include the $id in single quotes in the PHP statement, so even if the > value of $id is null, alpha, or invalid (not numeric) it does not generate a > mysql syntax error what ugly style - if it is not numeric and you throw it to the database you are one of the many with a sql-injection because if you are get ivalid values until there you have done no sanitize before and do not here $sql="INSERT into table VALUES (" . (int)$id . ",'" . mysql_real_escape_string($val) . "')"; or using a abstraction-layer (simple self written class) $sql="INSERT into table VALUES (" . (int)$id . ",'" . $db->escape_string($val) . "')"; all other things in the context of hand-written queries are all the nice one we read every day in the news and should NOT recommended because the next beginner reading this makes all the mistakes again Attachment: [application/pgp-signature] OpenPGP digital signature signature.asc