Tracy R Reed wrote:
Darren New wrote:
For PHP and MySQL, it's not the wrong way to go. True, you need to
throttle your SQL thru the MySqlEscape function, but really, if you're
manually concatenating things together to make SQL, you should be
making a library or something.
Yes, I will probably recommend the making of a library as well.
I have one with routines
build_select
takes the name of a table and an array of column->value
build_insert
ibid, except with a parameter that allows for "replace" as well
build_update
takes table name, array of selections, and array of new values,
as well as an optional argument that keeps it from checking that
num_rows (or whatever it's called for updates) returns exactly 1.
They all quote their arguments appropriately. The routines to perform
the queries are
query($sql, $mnemonic)
and
update($sql, $mnemonic)
Each does the query, returns the result set, and if it fails throws
an error with the indicated $mnemonic in it (which basically is
enough for me to find the right line easily). update() just calls
query() and then makes sure exactly one row got changed.
Handy especially when you're going direct from form to table row.
Of course, the more sophisticated queries still have to be written "by
hand", but mysqlescape deals with that. The real trick is just knowing
that things need to get escaped when you compose them, instead of being
lazy about it. :-)
This is really as much a DB question as it is a PHP question. Which DB
are you using?
MySQL
Yah. Use the escaping tools that come with MySQL. Then you don't have to
worry about whether you got the regular expression right. Especially
when you start using unicode or binary blobs or whatever.
--
Darren New / San Diego, CA, USA (PST)
Remember the good old days, when we
used to complain about cryptography
being export-restricted?
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-lpsg
