| List: | General Discussion | « Previous MessageNext Message » | |
| From: | Dotan Cohen | Date: | September 19 2011 11:20pm |
| Subject: | Re: Quotes around INSERT and SELECT statements' arguments from the mysql CLI and PHP | ||
| View as plain text | |||
On Tue, Sep 20, 2011 at 02:09, Hank <heskin@stripped> wrote: >> >> I want to be sure that all variables in the query are escaped. I don't >> trust myself or anyone else to do this to every variable right before >> the query: >> $someVar=mysql_real_escape_string($someVar); >> > > But you're doing exactly that right before the query anyway with: > $M[username]=mysql_real_escape_string($username); > You're just complicating things with the addition of an unneeded array. It > seems much simpler and less cluttered to just do: > $someVar=mysql_real_escape_string($someVar); > before your insert. All you are doing is changing "$someVar" to "$M[...]" > and then using $M[...] in the query. I really don't see the difference or > benefit of using your array here. Both methods are doing exactly the same > thing, except one is more convoluted. I know that this has been escaped: $query="INSERT INTO table (username) VALUES ('{$M[username]}')"; This, I don't know if it has been escaped or not: $query="INSERT INTO table (username) VALUES ('{$username}')"; > Now on the other hand, if you have several elements in the array $M to be > inserted, and have a function like this to escape them all at once: > for each ($M as &$val) $val= mysql_real_escape_string($val); > then your method starts to make more sense. I could foreach it. Or not. It doesn't matter. The point is having known-safe variables being used in the query, which are also easy to read. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com