|
Posted by Jan Thomä on 08/29/07 18:03
Good Man wrote:
>
> i'll assume this code is here for brevity, and that you're really making
> sure that your $check variable contains what you're expecting it to (a
> number).
>
> I tend to craft my SQL 'where' statements AFTER checking for variables,
> assembling them as a string, and appending them to a query.
I always use the placeholder notation for doing SQL. Concatening SQL strings
from input values is almost certainly a safe path to SQL injection. So what
i'd do is:
foreach( ... ) {
$where .= "OR id = ?";
}
and then use a framework like AdoDB to have them replace the placeholders.
Saves a lot of time and problems...
Best regards,
Jan
--
_________________________________________________________________________
insOMnia - We never sleep...
http://www.insOMnia-hq.de
[Back to original message]
|