| List: | General Discussion | « Previous MessageNext Message » | |
| From: | Dotan Cohen | Date: | September 19 2011 10:39pm |
| Subject: | Re: Quotes around INSERT and SELECT statements' arguments from the mysql CLI and PHP | ||
| View as plain text | |||
On Tue, Sep 20, 2011 at 01:11, Hank <heskin@stripped> wrote: > Best of both worlds: >> $username=$_POST['username']; >> // do some stuff with username here >> $M=array(); // Array of things to be inserted into MySQL >> $M[username]=mysql_real_escape_string($username); // Everything that >> goes into $M is escaped >> $query="INSERT INTO table (username) VALUES ('{$M[username]}')"; >> >> > I'm not sure I'm seeing why, in particular, you are using an array here? > I want to be sure that all variables in the query are escaped. I don't trust myself or anyone else to do this to every variable right before the query: $someVar=mysql_real_escape_string($someVar); Furthermore, I don't want to clutter the query with mysql_real_escape_string() all over the place. Therefore, I escape everything before it goes into the array, so I know that all the data in the array have been escaped. I can then use the array members in the query. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com