[PHP] Re: [PHP-DB] $_POST in MySQL query issue...

2003-10-16 Thread Peter Beckman 
On Thu, 16 Oct 2003, Adam Reiswig wrote:

> $sql="insert into $table set Name = '$_POST["elementName"]'";
>
> Unfortunately this and every other combination I can think of,
> combinations of quotes that is, does not work.  I believe the source of
> the problem is the quotes within quotes within quotes. I also tried:
>
> $sql='insert into $table set Name = '.$_POST["elementName"];
>or
> $sql="insert into $table set Name = ".$_POST['elementName'];

 You need to quote the Name.

 $sql = 'insert into '.$table.' set Name = "'.addslashes($_POST['elementName']).'"';

 You've done everything here that you need, no extra variables, no nothing.

 Register_Globals is bad -- if you can avoid using it, do so.

 Performance-wise, it is better to use single quotes and concat the
 variables outside of the quoted line.  Better performance, less problems
 with variables not being expanded correctly.

Beckman
---
Peter Beckman  Internet Guy
[EMAIL PROTECTED] http://www.purplecow.com/
---

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: [PHP-DB] Re: [PHP] $_POST in MySQL query issue...

2003-10-16 Thread Peter Beckman 
On Fri, 17 Oct 2003, BAO RuiXian wrote:

> I see you can achieve this by two ways:
>
>   1. Take out all the inside quotes (single or double) like the following:
>
>   $sql="insert into $table set Name = $_POST[elementName]";

 This is bad.  Using no quotes MAY work, but it is considered a "BARE WORD"
 and not an actual string.

$sql='insert into '.$table.' set Name = "'.addslashes($_POST['elementName']).'"';

 is the (more) correct way to do this.

>   2. Use a temporary variable for $_POST[elementName], like $elementName
> = $_POST[elementName], then continute use your original SQL sentence
> when the register_globals was on.

 Waste (albeit very minor) of variable space.  Concat them.

Beckman
---
Peter Beckman  Internet Guy
[EMAIL PROTECTED] http://www.purplecow.com/
---

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php