Differences between version 3 and revision by previous author of PhpHowto.
Other diffs: Previous Major Revision, Previous Revision, or view the Annotated Edit History
| Newer page: | version 3 | Last edited on Sunday, October 31, 2004 11:53:56 am | by PhilMurray | Revert |
| Older page: | version 2 | Last edited on Sunday, October 31, 2004 12:50:40 am | by AristotlePagaltzis | Revert |
@@ -28,13 +28,13 @@
!!Tips
__DONT__ put $_POST, $_GET or $_REQUEST varible straght into an SQL statment! Rather put the varible through the [mysql_escape_string()|http://www.php.net/manual/en/function.mysql-escape-string.php] function.
Ignoring this leaves you database exposed to attacks from [ScriptKiddie]s. %%% ie.
- $myVarFromForm = $
mysql_escape_string(
($_REQUEST[
['myVarFromForm']);
+ $myVarFromForm = mysql_escape_string($_REQUEST['myVarFromForm']);
$SQL = "SELECT * FROM mytable WHERE mycol = '$myVarFromForm'";
"" != '' - you can insert varibles directly into double quoted strings! Arrays (and objects) can also be inserted this way by puting the varible in a set of {} squiglyBrakets ! %%% ie.
$var = 'Hello ' . $name . ', ' . $myArray[[3] . ' is the 3rd array element';
can be writen as
$var = "Hello $name, {$myArray[[3]} is the 3rd array element";
I would tend to use {$name} for clarity.
