RE: [PHP] Query from POST_VARS
You can also use this mySQL syntax:
INSERT INTO table SET
field1='$value1',
field2='$value2',
...etc
Sincerely,
Maxim Maletsky
Founder, Chief Developer
PHPBeginner.com (Where PHP Begins)
[EMAIL PROTECTED]
www.phpbeginner.com
> -Original Message-
> From: chris allen [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, April 03, 2002 10:01 PM
> To: [EMAIL PROTECTED]
> Subject: [PHP] Query from POST_VARS
>
> Question on a mysql insert query:
>
> while(list($key, $val) = each($HTTP_POST_VARS)) {
>
> $string .= "'". $val ."'" .",";
> }
>
> $insert_query = "insert into data_16 values ('$string')";
>
>
> Do I need the single quotes for data being put into table?
> Ex:
>
> $insert_query =('data' , 'data2', 'data3') etc
>
> or can it be without the single quotes?
> as in
>
> (data, data2, data3) ???
>
> As far as I understand I only need quotes here:
>
> $insert_query = "insert into data_16 values ('$string')";
>^
^
>
>
> Am i right??
>
>
> thanks
> -ccma
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Query from POST_VARS
In my opinion, you should always single quote everything, including numerics. Why?
Say you have a:
$sql = "Delete from table where id=$id";
where id is expected to be numeric.
What if the variable id ends up containing:
7 or id>0
So the sql would end up as
$sql = "Delete from table where id=7 or id>0";
If the code was:
$sql = "Delete from table where id='$id'";
It would expand to:
$sql = "Delete from table where id='7 or id>0'";
And wouldn't match any row of the table.
Of course, someone would need to know your table structure to feed that extra data,
but that information leaks out. It's common to use form field names the same as column
names, or to echo failed sql statements to the world. If you single quote and validate
input for expected types, you'll prevent that attack.
> -Original Message-
> From: chris allen [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, April 03, 2002 3:01 PM
> Do I need the single quotes for data being put into table?
> Ex:
>
> $insert_query =('data' , 'data2', 'data3') etc
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Query from POST_VARS
ty tyler :) saves a bunch of time. w00t!! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Query from POST_VARS
>From what I've experienced, you're correct.
Tyler Longren
Captain Jack Communications
[EMAIL PROTECTED]
www.captainjack.com
- Original Message -
From: "chris allen" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, April 03, 2002 2:00 PM
Subject: [PHP] Query from POST_VARS
> Question on a mysql insert query:
>
> while(list($key, $val) = each($HTTP_POST_VARS)) {
>
> $string .= "'". $val ."'" .",";
> }
>
> $insert_query = "insert into data_16 values ('$string')";
>
>
> Do I need the single quotes for data being put into table?
> Ex:
>
> $insert_query =('data' , 'data2', 'data3') etc
>
> or can it be without the single quotes?
> as in
>
> (data, data2, data3) ???
>
> As far as I understand I only need quotes here:
>
> $insert_query = "insert into data_16 values ('$string')";
>^
^
>
>
> Am i right??
>
>
> thanks
> -ccma
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Query from POST_VARS
Question on a mysql insert query:
while(list($key, $val) = each($HTTP_POST_VARS)) {
$string .= "'". $val ."'" .",";
}
$insert_query = "insert into data_16 values ('$string')";
Do I need the single quotes for data being put into table?
Ex:
$insert_query =('data' , 'data2', 'data3') etc
or can it be without the single quotes?
as in
(data, data2, data3) ???
As far as I understand I only need quotes here:
$insert_query = "insert into data_16 values ('$string')";
^ ^
Am i right??
thanks
-ccma
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
