Since this was posted in php.general and php.db, I only ended up correcting
myself to the orginal poster and to php.general.
$table= 'elements';
$Name = mysql_escape_string($_POST['elementName']);
$sql = INSERT INTO $table SET Name= '$Name';
waste of variable space, and makes what you are doing
I concur, assign the superglobal array to a variable ...
$Name = strip_slashes($_POST['elementName']);
$sql=INSERT INTO $table SET Name='$Name'];
... and then use that opportunity to run additional checks on the content.
--
Jon Kriek
http://phpfreaks.com
--
PHP Database Mailing List
Actually, I meant to suggest addslashes() and mysql_espace_string()
--
Jon Kriek
http://phpfreaks.com
Jon Kriek [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
I concur, assign the superglobal array to a variable ...
$Name = strip_slashes($_POST['elementName']);
$sql=INSERT INTO
On Thu, 16 Oct 2003, Jon Kriek wrote:
I concur, assign the superglobal array to a variable ...
$Name = strip_slashes($_POST['elementName']);
$sql=INSERT INTO $table SET Name='$Name'];
... and then use that opportunity to run additional checks on the content.
Again, waste of variable
Adam Reiswig wrote:
$table=elements;
$sql=insert into $table set Name = '$elementName';
This works with register_globals set to on. But, I want to be able to
turn that off. My code then, I am guessing, be something as follows:
$table=elements;
$sql=insert into $table set Name =
On Fri, 17 Oct 2003, BAO RuiXian wrote:
I see you can achieve this by two ways:
1. Take out all the inside quotes (single or double) like the following:
$sql=insert into $table set Name = $_POST[elementName];
This is bad. Using no quotes MAY work, but it is considered a BARE
