Re: [PHP-DB] Re: [PHP] $_POST in MySQL query issue...
Since this was posted in php.general and php.db, I only ended up correcting myself to the orginal poster and to php.general. $table= 'elements'; $Name = mysql_escape_string($_POST['elementName']); $sql = "INSERT INTO $table SET Name= '$Name'"; >> waste of variable space, and makes what you are doing less readable I disagree, but that is ok, that is allowed =) -- Jon Kriek http://phpfreaks.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Re: [PHP] $_POST in MySQL query issue...
On Thu, 16 Oct 2003, Jon Kriek wrote:
> I concur, assign the superglobal array to a variable ...
>
> $Name = strip_slashes($_POST['elementName']);
> $sql="INSERT INTO $table SET Name='$Name'"];
>
> ... and then use that opportunity to run additional checks on the content.
Again, waste of variable space, and makes what you are doing less
readable. You also don't want to strip slashes most likely. If you have
magic_quotes turned on, PHP will automatically backslash any escaped
characters (', /, some others), so you don't need to use addslashes on
that variable. If it is not turned on, you will need to addslashes on
your post variable.
magic_quotes turned on
You don't know "me"! => $_POST['elementName'] == You don\'t know \"me\"!
Turned off
You don't know "me"! => $_POST['elementName'] == You don't know "me"!
If you don't addslashes when magic_quotes are turned off, your select will
fail, as the string will end at the first set of quotes (just after "know
").
Beckman
---
Peter Beckman Internet Guy
[EMAIL PROTECTED] http://www.purplecow.com/
---
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Re: [PHP] $_POST in MySQL query issue...
On Fri, 17 Oct 2003, BAO RuiXian wrote: > I see you can achieve this by two ways: > > 1. Take out all the inside quotes (single or double) like the following: > > $sql="insert into $table set Name = $_POST[elementName]"; This is bad. Using no quotes MAY work, but it is considered a "BARE WORD" and not an actual string. $sql='insert into '.$table.' set Name = "'.addslashes($_POST['elementName']).'"'; is the (more) correct way to do this. > 2. Use a temporary variable for $_POST[elementName], like $elementName > = $_POST[elementName], then continute use your original SQL sentence > when the register_globals was on. Waste (albeit very minor) of variable space. Concat them. Beckman --- Peter Beckman Internet Guy [EMAIL PROTECTED] http://www.purplecow.com/ --- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Re: [PHP] $_POST in MySQL query issue...
Actually, I meant to suggest addslashes() and mysql_espace_string() -- Jon Kriek http://phpfreaks.com "Jon Kriek" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > I concur, assign the superglobal array to a variable ... > > > > $Name = strip_slashes($_POST['elementName']); > $sql="INSERT INTO $table SET Name='$Name'"]; > > ... and then use that opportunity to run additional checks on the content. > > -- > Jon Kriek > http://phpfreaks.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Re: [PHP] $_POST in MySQL query issue...
I concur, assign the superglobal array to a variable ... $Name = strip_slashes($_POST['elementName']); $sql="INSERT INTO $table SET Name='$Name'"]; ... and then use that opportunity to run additional checks on the content. -- Jon Kriek http://phpfreaks.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Re: [PHP] $_POST in MySQL query issue...
Adam Reiswig wrote: $table="elements"; $sql="insert into $table set Name = '$elementName'"; This works with register_globals set to on. But, I want to be able to turn that off. My code then, I am guessing, be something as follows: $table="elements"; $sql="insert into $table set Name = '$_POST["elementName"]'"; I see you can achieve this by two ways: 1. Take out all the inside quotes (single or double) like the following: $sql="insert into $table set Name = $_POST[elementName]"; 2. Use a temporary variable for $_POST[elementName], like $elementName = $_POST[elementName], then continute use your original SQL sentence when the register_globals was on. Best Bao Unfortunately this and every other combination I can think of, combinations of quotes that is, does not work. I believe the source of the problem is the quotes within quotes within quotes. I also tried: -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
