problem regarding a code

[heshan]

Hi,

 

i found this coding from a web site. Can anyone what is the meaning of this code when selecting data.

$sql =("SELECT `customer_id`, `nic`, `full_name`, `name_with_initials`, `address`, `contact_number`, `gender` FROM `customer` WHERE  `nic`='%s'", mysql_real_escape_string($_POST['nic']) );

  $result=mysql_query($sql) or die( mysql_error() );

 

Specially that part where `nic`='%s'" and real_escape_string().

 

Thanks,

[fortnox007]

- % is used for the like condition in SQL. This gives some background

  http://www.techonthenet.com/sql/like.php If i am correct it checks if the input ends with the letter "s"

- mysql_real_escape_string is a sanitizing function to transform bad input. in this case user submitted by the post variable 'nic' If you would not do that users may be able to execute arbitrary sql like drop table.

 

So in this case it checks:

Whether the sanitized input by the end-user exists in the table customer_id ending with the letter "s"

and if it doesn't it dies and errors out

[mikosiko]

fortnox is incorrect based on the format of the sentence.

 

this sentence is incomplete

$sql =("SELECT `customer_id`, `nic`, `full_name`, `name_with_initials`, `address`, `contact_number`, `gender` FROM `customer` WHERE  `nic`='%s'", mysql_real_escape_string($_POST['nic']) )

;

 

should be write this way

 

$sql = sprintf("SELECT `customer_id`, `nic`, `full_name`, `name_with_initials`, `address`, `contact_number`, `gender` FROM `customer` WHERE  `nic`='%s'", mysql_real_escape_string($_POST['nic']) );

 

there '%s'  is formating mysql_real_escape_string($_POST['nic']) as a string.

 

http://www.php.net/manual/en/function.sprintf.php

 

 

[heshan]

Thank you for both of you guys..

[fortnox007]

thanks mikosiko, i just googled it : )