|
|
Posted by Steve on 11/07/06 15:05
"J.O. Aho" <user@example.net> wrote in message
news:4rbhpcFqe1irU2@mid.individual.net...
| nawfer wrote:
| > db mysql;
| >
| > if ID is a field int or bigint
| >
| > if in the query
| > ....
| > WHERE ID = '$var'
| >
| > and $var= 10;
| >
| > I can use write so '$var' or so $var (no '') ?
| > or there aren't difference?
| >
| > or for security is better use '$var' and not $var also for numeric
| > field?
|
| In the database query you use the '' when you may have special characters
like
| white spaces (space, tab and so on), for integers/floats it's better to
skip
| those, as it can be thought of as a string in some cases which can lead to
| wrong results in some cases
|
| $var=10;
| $query="SELECT * FROM table WHERE ID=$var";
not exactly true, aho. you use tics on ANY STRING/TEXT/VARCHAR...any
NON-NUMERIC field. you cannot insert the letter a into a varchar field
without encapsulating it - even though it is NOT a special character.
however, yes, some databases will balk at you for trying to insert 123.45 or
1,234.56 into a currency or double column. the majority of databases will
parse and convert data in the form of '1,234.56' into the datatype of the
column into which it is being inserted.
i use tics around all data i'm inserting. it avoids database specifics as
far as formatting goes. i wish it were that easy with dates as well...but
alas! this also let's you do things like explode an array of values into a
dynamically generated insert into sql statement without having to worry
about which of the values needs tics...they simply all get them.
as for the example:
$var = 10;
$query = "SELECT ....";
the results will ALWAYS be the same whether $var is encapsulated or not. the
only time you have conversion problems is when SORTING is done on string
fields that only contain numeric data. again, performing a cast or
conversion on that field, THEN sorting, provides consistent and accurate
results.
hth,
me
Navigation:
[Reply to this message]
|