On Aug 6, 2010, at 8:08 AM, tedd wrote: > At 10:10 PM -0400 8/5/10, Rick Dwyer wrote: >> 2nd question, in the 3 [2] lines below: >> >> $checkstat = "select field from table where fieldid = $field_id"; >> $result1 = @mysql_query($checkstat,$connection) or die("Couldn't execute >> query"); >> >> If I were to recode in the latter style, should they not look like this: >> >> $checkstat = 'select field from table where fieldid = "'.$field_id.'"'; >> $result1 = @mysql_query($checkstat,$connection) or die('Couldn\'t execute >> query'); > > Rick: > > Others gave you good advice on quotes, but I'll address your second question > on database queries. > > The following is in the form of what I normally do: > > $query = "SELECT field FROM table WHERE field_id = '$field_id' "; > $result = mysql_query($query) or die("Couldn't execute query"); > > Please note these are my preferences (others may have different preferences): > > 1. I use UPPERCASE for all MySQL syntax. > > 2. I do not use the @ before mysql_query because that suppresses errors. I > prefer to see errors and fix them. > > 3. It's not necessary to include the second argument (i.e., $connection) in > mysql_query. > > 4. IMO, a query should be named $query and a result should be named $result. > If I have several results, then I use $result1, $result2, $result3, and so on. > > 5. I try to match MySQL field names to PHP variable names, such as field_id = > '$field_id'. This makes it easier for me to read and debug. > > 6. Also note that the PHP variable $field_id is enclosed in single quotes > within the query. > > 7. For sake of readability, in the query I also place a space after the last > single quote and before the ending double quote, such as field_id = > '$field_id' ". -- I do not like, nor is it readable, to have a singledouble > quote (i.e., '"). > > There is one additional thing that I do, but it requires an included > function. For your kind review, in my query I do this: > > $result = mysql_query($query) or die(report($query,__LINE__,__FILE__))); > > and the report function I include to the script is: > > <?php > //==================== show dB errors ====================== > > function report($query, $line, $file) > { > echo($query . '<br>' .$line . '<br>' . $file . '<br>' . mysql_error()); > } > ?> > > That way, if something goes wrong, the report function will show in what file > and at what line number the error occurred. Now, this is OK for development, > but for production you should comment out the echo so you don't report errors > publicly. Besides, you should have all the errors fixed before your script > becomes production anyway, right? :-) > > HTH, > > tedd >
Tedd, Well said! I pretty much follow those same standards as well. Especially with the naming of variables to match field names. I also make sure that any form field names match my database names. It makes updating and inserting records so much easier! I've written a database class that allows me to update and insert records as easily as this: $db->insert("table_name",$_POST); $db->update("table_name","id_field_name",$id,$_POST); And, yes, I do sanitize the data to make sure it doesn't do bad things to my database! :) Take care, Floyd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php