Posted by Norman Peelman on 05/04/07 02:13

Iván Sánchez Ortega wrote:
> john wrote:
>
>> However, pulling out each variable from the $_POST array seems
>> awkward.
>
> Unless you program a framework just for that, it's the way to go.
>
>> The problem with constructing a string comes in due to the fact that
>> you often need to quote strings in the SQL statement
>
> You *always* have to quote strings in SQL.
>
>> , e.g, $sql = "insert...values('$_POST['email']..)" There doesn't seems to
>> be a combination of single and double quotes that work.
>
> Re-read the PHP manual, chapter on string expansion: whenever you put an
> array element inside a double-quoted string, you must enclose it with curly
> braces.
>

Not true...

"insert ... values('$_POST[email]') ...";

works just fine (as it should). Constants are NOT checked for when used
in this manner. However, using curly braces causes Constants to be
checked thereby re-introducing the need for single quotes around key names.

Curly braces are really only needed when accessing multi-dimensional
arrays in this manner:

"insert ... values('{$arr['key1']['key2']}') ... ";

or

"insert ... values('{$arr[0][1]}') ... ";

....just pick a good method and stick with it. Me personally, I hate
resorting to string concatination if at all possible:

<-- from blessblessbless@gmail.com -->

>> does this not work?
>> $sql = "insert ... values ('".$_POST['email']."')...";

....and in his/her own words

>> in case it is not readable:
>> ('".$_POST['email']."') = (' ". $_POST['email'] . " ')


Norm


>> Is there a standard way people tend to build SQL strings from $_POST
>> (or $_GET) data in PHP?
>
> Yes: *always* escape the variables (or at least, check them):
>
> $email = mysql_real_escape_string($_POST['email']);
> $name = mysql_real_escape_string($_POST['name']);
> $age = (int) $_POST['age'];
>
> $sql = "insert into foobar values ('$name','$email',$age)";
>
>
> Do this, and you'll never worry about SQL injections.
>

[Back to original message]