|
|
Posted by Chris Hope on 11/21/06 02:51
Michael Fesser wrote:
> .oO(Chris Hope)
>
>>Wow, that's really hard to read... is there are reason you keep
>>opening and closing the string? It would be much easier to write it
>>like this:
>>
>>$query="UPDATE table_name set
>> First_Name = \"$formVars[First_Name]\",
>> Date_Committed = \"$formVars[Date_Committed]\",
>> Signed_By = \"$formVars[Signed_By]\",
>>...
>>";
>
> Even simpler and more SQL-compliant with single quotes:
>
> $query="UPDATE table_name set
> First_Name = '$formVars[First_Name]',
> Date_Committed = '$formVars[Date_Committed]',
> Signed_By = '$formVars[Signed_By]',
> ...
> ";
Very true. Now why didn't I think of that ;)
>>If you use the PEAR DB library, ADODB or ADODB_Lite (and other
>>database libraries that are out there) instead of the straight php
>>mysql_* functions, you'll be able to use variable binding which helps
>>to eliminate the sql injection issues, and also can make your code a
>>lot easier to read.
>
> http://www.php.net/pdo
I haven't yet used PDO so I always forget it exists :)
--
Chris Hope | www.electrictoolbox.com | www.linuxcdmall.com
Navigation:
[Reply to this message]
|