On Thu, 2008-03-20 at 09:22 -0700, Lamp Lists wrote:
> hi,
> I saw several times that some people use this
>
> $parameters = array(
> 'param1' => "{$_POST["param1"]}",
> 'param2' => "{$_POST["param2"]}"
> );
Ignorance.
> or
>
> $query = mysql_query("SELECT * FROM table1 WHERE id='{$session_id}'");
Ignorance/Habit since you only need to do that if the context of the
variable is ambiguous... for instance:
$something = "Something blah $blehblah blah blah".
When what was really wanted was:
$something = "Something blah {$bleh}blah blah blah".
One would hope that in the example you provided the developer properly
escaped $session_id.
> I would use:
>
> $parameters = array(
> 'param1' => $_POST["param1"],
> 'param2' => $_POST["param2"]
> );
I sure would too (although I'd use single quotes for the array indices).
I'd also append a dangling , to that last array entry to make it
simplistic to add another entry and never worry about having to add a ,
to the previous entry. The following is perfectly legal in PHP and is an
intentional feature:
$parameters = array
(
'param1' => $_POST['param1'],
'param2' => $_POST['param2'],
);
> and
>
> $query = mysql_query("SELECT * FROM table1 WHERE id=' ".$session_id."
> ' ");
That's broken unless you're relying on a MySQL type conversion trick to
match the session ID since you've prepended and appended the id match
with spaced. You probably meant to type:
"SELECT * FROM table1 WHERE id='".$session_id."' "
In that case, I normally do similar for queries, except mine look more
like:
"SELECT * FROM table1 WHERE id=".$db->quote( $session_id )." "
Where the quote() method performs both the quoting and the escaping.
> does it really matter? is there really difference or these are just two
> "styles"?
It matters greatly if it's incorrect :) Otherwise it matters less so but
one is more efficient than the other. There's absolutely no reason to
interpolate a value if the value is the variable's value itself.
Cheers,
Rob.
--
http://www.interjinn.com
Application and Templating Framework for PHP
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
