On 21 July 2017 at 17:50, Tim Streater <[email protected]> wrote:
> $sql = "UPDATE Movies SET name = '$newname' where id=$newid"; > > Personally I don't like forcing PHP to scan strings so I tend to use > concatentation, rewriting the last of these as: > > $sql = 'UPDATE Movies SET name = \'' . $newname . '\' where id=' . > $newid; > > but that's just a personal style preference. > Either way, I hope for your sake no one releases a movie called: Avengers!'; Drop Table Movies; -- ;) As Simon says, better to use something like $sql = 'UPDATE Movies SET name = ? WHERE id = ?' and bind your parameters in. -Rowan _______________________________________________ sqlite-users mailing list [email protected] http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
