On Aug 6, 2010, at 8:08 AM, tedd wrote:
> At 10:10 PM -0400 8/5/10, Rick Dwyer wrote:
>> 2nd question, in the 3 [2] lines below:
>>
>> $checkstat = "select field from table where fieldid = $field_id";
>> $result1 = @mysql_query($checkstat,$connection) or die("Couldn't execute
>> query");
>>
>> If I were to recode in the latter style, should they not look like this:
>>
>> $checkstat = 'select field from table where fieldid = "'.$field_id.'"';
>> $result1 = @mysql_query($checkstat,$connection) or die('Couldn\'t execute
>> query');
>
> Rick:
>
> Others gave you good advice on quotes, but I'll address your second question
> on database queries.
>
> The following is in the form of what I normally do:
>
> $query = "SELECT field FROM table WHERE field_id = '$field_id' ";
> $result = mysql_query($query) or die("Couldn't execute query");
>
> Please note these are my preferences (others may have different preferences):
>
> 1. I use UPPERCASE for all MySQL syntax.
>
> 2. I do not use the @ before mysql_query because that suppresses errors. I
> prefer to see errors and fix them.
>
> 3. It's not necessary to include the second argument (i.e., $connection) in
> mysql_query.
>
> 4. IMO, a query should be named $query and a result should be named $result.
> If I have several results, then I use $result1, $result2, $result3, and so on.
>
> 5. I try to match MySQL field names to PHP variable names, such as field_id =
> '$field_id'. This makes it easier for me to read and debug.
>
> 6. Also note that the PHP variable $field_id is enclosed in single quotes
> within the query.
>
> 7. For sake of readability, in the query I also place a space after the last
> single quote and before the ending double quote, such as field_id =
> '$field_id' ". -- I do not like, nor is it readable, to have a singledouble
> quote (i.e., '").
>
> There is one additional thing that I do, but it requires an included
> function. For your kind review, in my query I do this:
>
> $result = mysql_query($query) or die(report($query,__LINE__,__FILE__)));
>
> and the report function I include to the script is:
>
> <?php
> //==================== show dB errors ======================
>
> function report($query, $line, $file)
> {
> echo($query . '<br>' .$line . '<br>' . $file . '<br>' . mysql_error());
> }
> ?>
>
> That way, if something goes wrong, the report function will show in what file
> and at what line number the error occurred. Now, this is OK for development,
> but for production you should comment out the echo so you don't report errors
> publicly. Besides, you should have all the errors fixed before your script
> becomes production anyway, right? :-)
>
> HTH,
>
> tedd
>
Tedd,
Well said! I pretty much follow those same standards as well.
Especially with the naming of variables to match field names. I also make sure
that any form field names match my database names. It makes updating and
inserting records so much easier! I've written a database class that allows me
to update and insert records as easily as this:
$db->insert("table_name",$_POST);
$db->update("table_name","id_field_name",$id,$_POST);
And, yes, I do sanitize the data to make sure it doesn't do bad things to my
database! :)
Take care,
Floyd
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
