Posted by J.O. Aho on 11/07/06 13:59

nawfer wrote:
> db mysql;
>
> if ID is a field int or bigint
>
> if in the query
> ....
> WHERE ID = '$var'
>
> and $var= 10;
>
> I can use write so '$var' or so $var (no '') ?
> or there aren't difference?
>
> or for security is better use '$var' and not $var also for numeric
> field?

In the database query you use the '' when you may have special characters like
white spaces (space, tab and so on), for integers/floats it's better to skip
those, as it can be thought of as a string in some cases which can lead to
wrong results in some cases

$var=10;
$query="SELECT * FROM table WHERE ID=$var";



//Aho

• Next in forum: recommendation for easy-to-use form validation class or file?
• Prev in forum: Re: call a query but if not exist table how manage error?
• Thread view: Re: $var or '$var' in a sql if the field is an int ?

[Reply to this message]