List:General Discussion« Previous MessageNext Message »
From:Dotan Cohen Date:September 19 2011 10:39pm
Subject:Re: Quotes around INSERT and SELECT statements' arguments from the
mysql CLI and PHP
View as plain text  
On Tue, Sep 20, 2011 at 01:11, Hank <heskin@stripped> wrote:
> Best of both worlds:
>> $username=$_POST['username'];
>> // do some stuff with username here
>> $M=array();  // Array of things to be inserted into MySQL
>> $M[username]=mysql_real_escape_string($username); // Everything that
>> goes into $M is escaped
>> $query="INSERT INTO table (username) VALUES ('{$M[username]}')";
>>
>>
> I'm not sure I'm seeing why, in particular, you are using an array here?
>

I want to be sure that all variables in the query are escaped. I don't
trust myself or anyone else to do this to every variable right before
the query:
$someVar=mysql_real_escape_string($someVar);

Furthermore, I don't want to clutter the query with
mysql_real_escape_string() all over the place. Therefore, I escape
everything before it goes into the array, so I know that all the data
in the array have been escaped. I can then use the array members in
the query.


-- 
Dotan Cohen

http://gibberish.co.il
http://what-is-what.com
Thread
Quotes around INSERT and SELECT statements' arguments from the mysqlCLI and PHPDotan Cohen18 Sep
  • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPBrandon Phelps18 Sep
    • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen18 Sep
      • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPHank19 Sep
        • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPReindl Harald19 Sep
          • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen19 Sep
          • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPHank19 Sep
            • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPReindl Harald19 Sep
              • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen19 Sep
                • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPHank20 Sep
                  • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen20 Sep
                    • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPReindl Harald20 Sep
                      • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen20 Sep
                      • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen20 Sep
                        • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPReindl Harald20 Sep
                    • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPHank20 Sep
                      • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen20 Sep
        • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen19 Sep