Re: PHP MySql Update — PHP Programming Language

You are here: Re: PHP MySql Update « PHP Programming Language « IT news, forums, messages

Posted by Chris Hope on 11/21/06 02:04

Akhenaten wrote:

> Coding apparently leads to blindness! I have an unclosed quote in here
> and I'm not sure where......
>
> $query="UPDATE table_name set ".
> "First_Name= \"".$formVars["First_Name"]."\",".
> "Date_Committed= \"".$formVars["Date_Committed"]."\",".
> "Signed_By= \"".$formVars["Signed_By"]."\",".
> "Rep= \"".$formVars["Sales_Rep"]."\",".
> "Aut= \"".$formVars["Atty"]."\",".
> "Car= \"".$formVars["Car"]."\",".
> "Dbl= \"".$formVars["Dbl"]."\",".
> "Sts= \"".$formVars["Sts"]."\",".
> "Notes= \"".$formVars["Notes"]."\",".
> " \"WHERE Client_ID = \"".$formVars["Client_ID"]."\"";
>
> mysql_query($query);
>
> Your eyesite is appreciated!

Wow, that's really hard to read... is there are reason you keep opening
and closing the string? It would be much easier to write it like this:

$query="UPDATE table_name set
First_Name = \"$formVars[First_Name]\",
Date_Committed = \"$formVars[Date_Committed]\",
Signed_By = \"$formVars[Signed_By]\",
....
";

or even using heredoc syntax like this:

$query = <<<END_OF_QUERY
UPDATE table_name set
First_Name = "$formVars[First_Name]",
Date_Committed = "$formVars[Date_Committed]",
Signed_By = "$formVars[Signed_By]",
...
END_OF_QUERY;

Secondly, I hope you are escaping the variables in $formVars before
putting them into that string. If not, someone could inject sql into
the form variables and your sql will have unexpected consequences. Try
Googling "sql injection attack" some time to find out more.

If you use the PEAR DB library, ADODB or ADODB_Lite (and other database
libraries that are out there) instead of the straight php mysql_*
functions, you'll be able to use variable binding which helps to
eliminate the sql injection issues, and also can make your code a lot
easier to read. They also add portability between databases and error
checking.

Example of variable binding:

$db->query("
UPDATE table_name
SET First_Name = ?,
Date_Committed = ?,
Signed_By = ?
...",
array(
$formVars['First_Name'],
$formVars['Date_Committed'],
$formVars['Signed_By']
...
)
);

--
Chris Hope | www.electrictoolbox.com | www.linuxcdmall.com

Navigation:

Next in forum: Re: Programmatically setting a radio buttones
Prev in forum: Re: PHP MySql Update
Thread view: Re: PHP MySql Update

[Reply to this message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация