On Fri, 17 Oct 2003, BAO RuiXian wrote:

> I see you can achieve this by two ways:
>       1. Take out all the inside quotes (single or double) like the following:
>       $sql="insert into $table set Name = $_POST[elementName]";

 This is bad.  Using no quotes MAY work, but it is considered a "BARE WORD"
 and not an actual string.

    $sql='insert into '.$table.' set Name = "'.addslashes($_POST['elementName']).'"';

 is the (more) correct way to do this.

>       2. Use a temporary variable for $_POST[elementName], like $elementName
> = $_POST[elementName], then continute use your original SQL sentence
> when the register_globals was on.

 Waste (albeit very minor) of variable space.  Concat them.

Peter Beckman                                                  Internet Guy
[EMAIL PROTECTED]                             http://www.purplecow.com/

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to