List:General Discussion« Previous MessageNext Message »
From:Dotan Cohen Date:September 19 2011 11:20pm
Subject:Re: Quotes around INSERT and SELECT statements' arguments from the
mysql CLI and PHP
View as plain text  
On Tue, Sep 20, 2011 at 02:09, Hank <heskin@stripped> wrote:
>>
>> I want to be sure that all variables in the query are escaped. I don't
>> trust myself or anyone else to do this to every variable right before
>> the query:
>> $someVar=mysql_real_escape_string($someVar);
>>
>
> But you're doing exactly that right before the query anyway with:
> $M[username]=mysql_real_escape_string($username);
> You're just complicating things with the addition of an unneeded array.  It
> seems much simpler and less cluttered to just do:
>           $someVar=mysql_real_escape_string($someVar);
> before your insert.  All you are doing is changing "$someVar" to "$M[...]"
> and then using $M[...] in the query.  I really don't see the difference or
> benefit of using your array here.  Both methods are doing exactly the same
> thing, except one is more convoluted.

I know that this has been escaped:
$query="INSERT INTO table (username) VALUES ('{$M[username]}')";

This, I don't know if it has been escaped or not:
$query="INSERT INTO table (username) VALUES ('{$username}')";


> Now on the other hand, if you have several elements in the array $M to be
> inserted, and have a function like this to escape them all at once:
> for each ($M as &$val)  $val= mysql_real_escape_string($val);
> then your method starts to make more sense.

I could foreach it. Or not. It doesn't matter. The point is having
known-safe variables being used in the query, which are also easy to
read.

-- 
Dotan Cohen

http://gibberish.co.il
http://what-is-what.com
Thread
Quotes around INSERT and SELECT statements' arguments from the mysqlCLI and PHPDotan Cohen18 Sep
  • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPBrandon Phelps18 Sep
    • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen18 Sep
      • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPHank19 Sep
        • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPReindl Harald19 Sep
          • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen19 Sep
          • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPHank19 Sep
            • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPReindl Harald19 Sep
              • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen19 Sep
                • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPHank20 Sep
                  • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen20 Sep
                    • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPReindl Harald20 Sep
                      • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen20 Sep
                      • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen20 Sep
                        • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPReindl Harald20 Sep
                    • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPHank20 Sep
                      • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen20 Sep
        • Re: Quotes around INSERT and SELECT statements' arguments from themysql CLI and PHPDotan Cohen19 Sep