Posted by john on 05/04/07 00:15

On May 3, 8:08 pm, Aerik <asyl...@gmail.com> wrote:
> On May 3, 5:02 pm, john <puop...@gmail.com> wrote:
> <snip>
>
>
>
> > The problem with constructing a string comes in due to the fact that
> > you often need to quote strings in the SQL statement, e.g, $sql =
> > "insert...values('$_POST['email']..)" There doesn't seems to be a
> > combination of single and double quotes that work.
>
> > Is there a standard way people tend to build SQL strings from $_POST
> > (or $_GET) data in PHP?
>
> I'll be interested to see other answers to this too. I like to mangle
> your post data first by looping through the $_POST and building your
> $fields and $values string, all the while checking for valid field
> names and escaping your strings appropriately. Then just do this:
>
> $sql = "INSERT INTO mytable ($fields) VALUES ($values)";
>
> Aerik

Aerik et al:

Interestingly, this seems to work...(I just tested this before I saw
your (very quick - thanks!) reply:

$fruit = array('a' => 'apricot', 'b' => 'banana');
$s = "insert into food(x,y) values ('$fruit[a]', '$fruit[b]')";
print $s;
// prints: insert into food(x,y) values ('apricot', 'banana')

This constructs the proper SQL statement. I was having a difficult
time since I thought I needed to surround the index (a and b above)
with some type of quotes. Apparently, PHP can use the non-quoted
index, which solves the simple problem of using $_POST[index], even
when index is a named index into the array. Cool....

jpuopolo

[Back to original message]