On Tue, Sep 20, 2011 at 02:09, Hank <hes...@gmail.com> wrote:
>>
>> I want to be sure that all variables in the query are escaped. I don't
>> trust myself or anyone else to do this to every variable right before
>> the query:
>> $someVar=mysql_real_escape_string($someVar);
>>
>
> But you're doing exactly that right before the query anyway with:
> $M[username]=mysql_real_escape_string($username);
> You're just complicating things with the addition of an unneeded array. It
> seems much simpler and less cluttered to just do:
> $someVar=mysql_real_escape_string($someVar);
> before your insert. All you are doing is changing "$someVar" to "$M[...]"
> and then using $M[...] in the query. I really don't see the difference or
> benefit of using your array here. Both methods are doing exactly the same
> thing, except one is more convoluted.
I know that this has been escaped:
$query="INSERT INTO table (username) VALUES ('{$M[username]}')";
This, I don't know if it has been escaped or not:
$query="INSERT INTO table (username) VALUES ('{$username}')";
> Now on the other hand, if you have several elements in the array $M to be
> inserted, and have a function like this to escape them all at once:
> for each ($M as &$val) $val= mysql_real_escape_string($val);
> then your method starts to make more sense.
I could foreach it. Or not. It doesn't matter. The point is having
known-safe variables being used in the query, which are also easy to
read.
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=arch...@jab.org
