Since this was posted in php.general and php.db, I only ended up correcting
myself to the orginal poster and to php.general.
$table= 'elements';
$Name = mysql_escape_string($_POST['elementName']);
$sql = "INSERT INTO $table SET Name= '$Name'";
>> waste of variable space, and makes what you are do
On Thu, 16 Oct 2003, Jon Kriek wrote:
> I concur, assign the superglobal array to a variable ...
>
> $Name = strip_slashes($_POST['elementName']);
> $sql="INSERT INTO $table SET Name='$Name'"];
>
> ... and then use that opportunity to run additional checks on the content.
Again, waste of variabl
On Fri, 17 Oct 2003, BAO RuiXian wrote:
> I see you can achieve this by two ways:
>
> 1. Take out all the inside quotes (single or double) like the following:
>
> $sql="insert into $table set Name = $_POST[elementName]";
This is bad. Using no quotes MAY work, but it is considered a
Actually, I meant to suggest addslashes() and mysql_espace_string()
--
Jon Kriek
http://phpfreaks.com
"Jon Kriek" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> I concur, assign the superglobal array to a variable ...
>
>
>
> $Name = strip_slashes($_POST['elementName']);
> $sql="I
I concur, assign the superglobal array to a variable ...
$Name = strip_slashes($_POST['elementName']);
$sql="INSERT INTO $table SET Name='$Name'"];
... and then use that opportunity to run additional checks on the content.
--
Jon Kriek
http://phpfreaks.com
--
PHP Database Mailing List (http
Adam Reiswig wrote:
$table="elements";
$sql="insert into $table set Name = '$elementName'";
This works with register_globals set to on. But, I want to be able to
turn that off. My code then, I am guessing, be something as follows:
$table="elements";
$sql="insert into $table set Name = '$_POS
