In my opinion, you should always single quote everything, including numerics. Why? Say you have a: $sql = "Delete from table where id=$id";
where id is expected to be numeric. What if the variable id ends up containing: 7 or id>0 So the sql would end up as $sql = "Delete from table where id=7 or id>0"; If the code was: $sql = "Delete from table where id='$id'"; It would expand to: $sql = "Delete from table where id='7 or id>0'"; And wouldn't match any row of the table. Of course, someone would need to know your table structure to feed that extra data, but that information leaks out. It's common to use form field names the same as column names, or to echo failed sql statements to the world. If you single quote and validate input for expected types, you'll prevent that attack. > -----Original Message----- > From: chris allen [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, April 03, 2002 3:01 PM > Do I need the single quotes for data being put into table? > Ex: > > $insert_query =('data' , 'data2', 'data3') etc.... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
