Rick Dwyer wrote:
Hello all.

I inherited some PHP pages about a year ago. They have been fine all along but
now a bunch of erroneous errors and results are popping up. I traced it to the
way the variables were being used on the page... for example, the following SQL
statement (a space between ' and " for clarity):

sql="select name from mytable where name=$myvar and display='yes' ";

This has worked in the past but is now returning errors for some records and
working for others. I changed the above to the following and now all is good:

sql="select name from mytable where name=' ".$myvar." ' and display='yes' ";

What would explain why the former is suddenly causing problems? The version of
PHP is 5.2.3 and from what I can tell, hasn't been updated since February of 

I would have a closer look at what the contents of $myvar is when it's giving an error. I would suspect it might contain a " or a ' ? The first version is not taking care of any characters that may need escaping, so you may well have been lucky in the past?

sql="select name from mytable where name='$myvar' and display='yes' " is another option for a different 'result', but personally I prefer to pass variables like this as a parameter, so the query just has name=? and you pass the $myvar in an array of variables. This helps prevent suspect sql getting into the query as well, not such a problem here, but sensible practice anyway.

Lester Caine - G8HFL
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk//
Firebird - http://www.firebirdsql.org/index.php

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to