List:General Discussion« Previous MessageNext Message »
From:Hank Date:September 19 2011 2:55pm
Subject:Re: Quotes around INSERT and SELECT statements' arguments from the
mysql CLI and PHP
View as plain text  
>
> what ugly style - if it is not numeric and you throw it to the database
> you are one of the many with a sql-injection because if you are get
> ivalid values until there you have done no sanitize before and do not here
>
>
It's a matter of opinion.  I never said the data wasn't sanitized (it is).
 But sometimes calculated values or bugs in PHP code end up with a null
variable field.  I was just suggesting the choice between two errors -- one
syntax which will generate a hard failure of the query and likely whatever
page, or a soft logical error, which won't. In either case, I have error
trapping to catch both types of errors and alert me to them. I prefer the
errors to be logical ones and not syntax errors.


> $sql="INSERT into table VALUES (" . (int)$id . ",'" .
mysql_real_escape_string($val) . "')";
> or using a abstraction-layer (simple self written class)
> $sql="INSERT into table VALUES (" . (int)$id . ",'" .
$db->escape_string($val) . "')";

I think what you posted is ugly "style" which makes reading the actual SQL
in PHP code much harder to read and debug.  The data validation should take
place elsewhere long before it gets to constructing the SQL statement.

Thread
Quotes around INSERT and SELECT statements' arguments from the mysqlCLI and PHPDotan Cohen18 Sep
  • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPBrandon Phelps18 Sep
    • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen18 Sep
      • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPHank19 Sep
        • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPReindl Harald19 Sep
          • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen19 Sep
          • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPHank19 Sep
            • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPReindl Harald19 Sep
              • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen19 Sep
                • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPHank20 Sep
                  • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen20 Sep
                    • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPReindl Harald20 Sep
                      • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen20 Sep
                      • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen20 Sep
                        • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPReindl Harald20 Sep
                    • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPHank20 Sep
                      • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen20 Sep
        • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen19 Sep