> I wrote a db class which builds my queries for me. Example snippit:
>
> /* -- db.conf -- (table definitions) */
> dbNewConn('conn', 'user:password@host');
> dbNewDb('database', 'conn');
> dbNewTable('my_table', 'database.table_name');
>
> /* -- My script.php -- */
> $d = array( 'name' => $_POST['name'],
> 'email' => $_POST['email']);
>
> dbUpdate('my_table', $d, "id='{$_POST['id']}'");
How do you differentiate between string updates and integer/float
updates? Or do you just put quotes around the numbers, too?
> As dbUpdate gets executed, if the connection isn't up, it connects to
> the db server, next if it doesn't have a list of fields for the table
it
> lists the fields and 'caches' them during the script execution. And
> finally it builds the query string. The resulting query is:
>
> UPDATE database.table_name SET `name`='The Name',
> `email`='[EMAIL PROTECTED]' WHERE id=1;
Wouldn't the 1 have quotes around it?
> It handles all escaping, mysql functions etc. (so I could do: 'name'
=>
> 'PASSWORD('.$_POST['name'].')' and it would be escaped propperly).
This
> code is running in a production application and have no had any
> performance problems.
How would you escape that? The contents of the PASSWORD function needs
to be surrounded by quotes (unless you're passing a column).
So you'd need
'name' => "PASSWORD('" . $_POST['name'] . "')"
wouldn't you? So if the name is "O'mallery" you'd end up with
'name' => "PASSWORD('O'mallery')"
How do you escape that without also escaping the quotes that delimit the
string?
---John Holmes...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
