Posted by Jan Thomä on 08/29/07 18:03

Good Man wrote:
>
> i'll assume this code is here for brevity, and that you're really making
> sure that your $check variable contains what you're expecting it to (a
> number).
>
> I tend to craft my SQL 'where' statements AFTER checking for variables,
> assembling them as a string, and appending them to a query.

I always use the placeholder notation for doing SQL. Concatening SQL strings
from input values is almost certainly a safe path to SQL injection. So what
i'd do is:

foreach( ... ) {
$where .= "OR id = ?";
}

and then use a framework like AdoDB to have them replace the placeholders.
Saves a lot of time and problems...

Best regards,
Jan


--
_________________________________________________________________________
insOMnia - We never sleep...
http://www.insOMnia-hq.de

• Next in forum: Re: Best way of calling multiple classes?
• Prev in forum: Re: Need "good" real world examples of class/pattern use in PHP
• Thread view: Re: return multiple rows from sql statement

[Reply to this message]