Posted by Aerik on 05/04/07 00:08

On May 3, 5:02 pm, john <puop...@gmail.com> wrote:
<snip>
>
> The problem with constructing a string comes in due to the fact that
> you often need to quote strings in the SQL statement, e.g, $sql =
> "insert...values('$_POST['email']..)" There doesn't seems to be a
> combination of single and double quotes that work.
>
> Is there a standard way people tend to build SQL strings from $_POST
> (or $_GET) data in PHP?

I'll be interested to see other answers to this too. I like to mangle
your post data first by looping through the $_POST and building your
$fields and $values string, all the while checking for valid field
names and escaping your strings appropriately. Then just do this:

$sql = "INSERT INTO mytable ($fields) VALUES ($values)";

Aerik

[Back to original message]