|
|
Posted by Michael Fesser on 05/13/07 12:21
..oO(Johnny BeGood)
>Thanks for the reply, can you give me some guidance on
>
>> 2) use prepared statements
>>
>> The second is the preferred, but whether it's available or not depends
>> on the used DB backend and the interface.
>
>I have used
>
>$stmt = odbc_prepare($odbc, "INSERT INTO Tasks (TaskType, Details)
>VALUES('$tasktype','$taskdetails');" );
Maybe I should have said "parameterized statement". The purpose of such
statements is to use parameters/placeholders in the query string, which
are replaced with the current values _after_ the statement was prepared.
Your code should look like this (just splitted a bit for legibility):
// query string with 2 placeholders
$query = 'INSERT INTO Tasks (TaskType, Details) VALUES (?, ?)';
// prepare the statement
$stmt = odbc_prepare($odbc, $query);
// pass all parameters in an array and execute the statement
if (!odbc_execute($stmt, array($tasktype, $taskdetails))) {
...
}
HTH
Micha
[Back to original message]
|