|
|
Posted by Michael Fesser on 11/21/06 02:32
..oO(Chris Hope)
>Wow, that's really hard to read... is there are reason you keep opening
>and closing the string? It would be much easier to write it like this:
>
>$query="UPDATE table_name set
> First_Name = \"$formVars[First_Name]\",
> Date_Committed = \"$formVars[Date_Committed]\",
> Signed_By = \"$formVars[Signed_By]\",
>...
>";
Even simpler and more SQL-compliant with single quotes:
$query="UPDATE table_name set
First_Name = '$formVars[First_Name]',
Date_Committed = '$formVars[Date_Committed]',
Signed_By = '$formVars[Signed_By]',
....
";
>If you use the PEAR DB library, ADODB or ADODB_Lite (and other database
>libraries that are out there) instead of the straight php mysql_*
>functions, you'll be able to use variable binding which helps to
>eliminate the sql injection issues, and also can make your code a lot
>easier to read.
http://www.php.net/pdo
Micha
Navigation:
[Reply to this message]
|