|
|
Posted by Ivαn Sαnchez Ortega on 05/04/07 00:23
john wrote:
> However, pulling out each variable from the $_POST array seems
> awkward.
Unless you program a framework just for that, it's the way to go.
> The problem with constructing a string comes in due to the fact that
> you often need to quote strings in the SQL statement
You *always* have to quote strings in SQL.
> , e.g, $sql = "insert...values('$_POST['email']..)" There doesn't seems to
> be a combination of single and double quotes that work.
Re-read the PHP manual, chapter on string expansion: whenever you put an
array element inside a double-quoted string, you must enclose it with curly
braces.
> Is there a standard way people tend to build SQL strings from $_POST
> (or $_GET) data in PHP?
Yes: *always* escape the variables (or at least, check them):
$email = mysql_real_escape_string($_POST['email']);
$name = mysql_real_escape_string($_POST['name']);
$age = (int) $_POST['age'];
$sql = "insert into foobar values ('$name','$email',$age)";
Do this, and you'll never worry about SQL injections.
--
----------------------------------
IvΓ‘n SΓ‘nchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-
http://acm.asoc.fi.upm.es/~mr/ ; http://acm.asoc.fi.upm.es/~ivan/
MSN:i_eat_s_p_a_m_for_breakfast@hotmail.com
Jabber:ivansanchez@jabber.org ; ivansanchez@kdetalk.net
[Back to original message]
|