Posted by gosha bine on 05/04/07 07:54

On 04.05.2007 02:02 john wrote:
> All:
>
> I'm a long-time developer, new to PHP....
>
> Is there an idiom used in PHP to construct SQL statments from $_POST
> data?
>
> I would guess that in many applications, the data read from $_POST are
> used to build SQL statements. Certainly, we can do the following:
>
> $email = $_POST['email']
> $sql = "insert ... values ('$email')..."
>
> However, pulling out each variable from the $_POST array seems
> awkward.
>
> The problem with constructing a string comes in due to the fact that
> you often need to quote strings in the SQL statement, e.g, $sql =
> "insert...values('$_POST['email']..)" There doesn't seems to be a
> combination of single and double quotes that work.
>
> Is there a standard way people tend to build SQL strings from $_POST
> (or $_GET) data in PHP?
>
> Thanks,
> John
> jpuopolo
>

Hi there

the most correct and headache-free way to build an SQL statement is to
use prepared statements. If you're on php5, it's strongly recommended to
use PDO [http://www.php.net/manual/en/ref.pdo.php] that has this feature
out of the box:

$st = $db->prepare('INSERT INTO ... VALUES(?, ?)');
$st->execute(array($_POST['name'], $_POST['email']));

For older php versions you can use libraries that emulate the same
functionality: AdoDB, PEAR::MDB etc.


--
gosha bine

extended php parser ~ http://code.google.com/p/pihipi
blok ~ http://www.tagarga.com/blok

[Back to original message]