POST variables in mysql query

**JasonDFR** · 10-24-2008, 07:44 AM

I am inserting POST, GET, and SESSION variables into mysql queries like this:

Code:

$q2 = "UPDATE `contest_answers`
SET `answer` = '$q_2_ans'
WHERE `ans_id` = {$_POST['ans_2_id']} LIMIT 1 "

Is this the "best practice" or is there a better way to do it?

(validation has been done on the POST variable)

Thanks!

Jason

**rangana** · 10-24-2008, 10:03 AM

Ensure you've escaped special characters already:

PHP Code:


mysql_real_escape_string($_POST['ans_2_id'])

**JasonDFR** · 10-24-2008, 10:28 AM

Yes, good advice. I had escaped the special characters.

Use of the curly brackets in the query was my main concern.

Is there a "best practice" for putting POST, GET, or SESSION variables into a mysql query?

Thanks!

J

**Twey** · 10-24-2008, 10:43 AM

Personally, I like sprintf():

Code:

mysql_query(sprintf('UPDATE contest_answers SET answer = '%s' where ans_id = %d',
                   $q_2_ans,
                   $_POST['ans_2_id']))
  or die(mysql_error());

**Twey** · 10-24-2008, 10:43 AM

Personally, I like sprintf():

Code:

mysql_query(sprintf('UPDATE contest_answers SET answer = \'%s\' where ans_id = %d',
                   $q_2_ans,
                   $_POST['ans_2_id']))
  or die(mysql_error());

**JasonDFR** · 10-24-2008, 10:58 AM

I had not thought of that. What is the advantage to using sprintf?

Thanks Twey.

Jason

**Twey** · 10-24-2008, 11:57 AM

Well for a start you've got a little validation for free — there's no way that %d can be a string, for example. Conjointly, it increases the readability of the query by showing the query separately, without all the clumsy parameter-preparing code getting in the way.

Of course, if you have them available, PDO prepared statements are preferable by far, since they take care of all escaping, delimiting, and other assorted nonsense for you, as well as providing you with many devices by use of which you can greatly neaten your code.

**JasonDFR** · 10-24-2008, 03:17 PM

Cool! Thanks a lot Twey. PDO looks great. You know of any good tutorials?

J

**gwesco** · 06-03-2009, 05:35 PM

Along the same line, I am trying to create a function to allow me to update a database when a user selects a quantity in a form.

Here's my function so far:

PHP Code:


<?php



$QTY = $_POST['qty'];

Print $QTY;

echo '<P>';  // Test to see if qty is being passed (It is)



function updateDbase () {



// Connects to your Database

$db = DB::connect('mysql://username:password@localhost/my_inventory');

if (DB::isError($db)) { die ("Can't connect: " . $db->getMessage()); }



// Set up automatic error handling

$db->setErrorHandling(PEAR_ERROR_DIE);



$db->query("UPDATE inventory SET InStock = InStock - ( ) where inventory . PartNumber =123456");



mysql_close();



 }

?>

My problem is getting the variable into the () in the query. Apparently the code needs to be a little more complex than this? When I plug a number into the (), the database updates correctly so I know everything is working up to that point.

Thanks for any help. I am learning PHP and am not a master of MySql yet. ;-)

**rangana** · 06-03-2009, 06:45 PM

It doesn't appear to be "MySql" query for me.

I'm uncertain if I totally understand you, but try:

Code:

$db->query("UPDATE inventory SET InStock = InStock - ( ) where inventory . PartNumber =".$QTY."\"");

Thread: POST variables in mysql query

Thread Tools

Search Thread

POST variables in mysql query

Bookmarks

Bookmarks

Posting Permissions