Jump to content

[SOLVED] Quoting


Ken2k7

Recommended Posts

Okay I just want to see if this works or not:

 

$sql = mysql_query("SELECT * FROM member WHERE name='$_SESSION['name']'") or die(mysql_error());

 

See where it says: ...name='$_SESSION['name']'...?

 

Does the quotes work on that part or do I need to use the character '\'?

Link to comment
Share on other sites

Actually, since it's in a string, you don't really need quotes.

But one thing you'll need to observe is the possibility of an SQL-injection attack, meaning someone could rewrite your query to do malicious things - which isn't good. Be sure you escape your data properly.

Link to comment
Share on other sites

Actually, since it's in a string, you don't really need quotes.

 

Erm yes you do!

But one thing you'll need to observe is the possibility of an SQL-injection attack, meaning someone could rewrite your query to do malicious things

Its a SESSION, not a POST or GET so how would the user do that ????

Link to comment
Share on other sites

Actually, since it's in a string, you don't really need quotes.

 

Erm yes you do!

But one thing you'll need to observe is the possibility of an SQL-injection attack, meaning someone could rewrite your query to do malicious things

Its a SESSION, not a POST or GET so how would the user do that ????

 

Ive used a $_SESSION string without using quotes before...and Ive done it alot.

Link to comment
Share on other sites

its a bad habit and if you turn on error reporting your see a ton of errors,

 

$_SESSION[the_session]

will look for a constant named the_session and will fail to find one, and then will send a notice,

but php will then use the_session as the variable..

 

so to sumup PHP is fixing the error "per say" but its still bad pratice..

 

Link to comment
Share on other sites

options are

use either

$sql = mysql_query("SELECT * FROM member WHERE name='{$_SESSION['name']}'") or die(mysql_error());

or

 

$sql = mysql_query("SELECT * FROM member WHERE name='".$_SESSION['name']."'") or die(mysql_error());

 

or

$name = $_SESSION['name'];

$sql = mysql_query("SELECT * FROM member WHERE name='$name' ") or die(mysql_error());

Link to comment
Share on other sites

I usually do it the last way MadTechie showed. I find it's cleaner and you might need to use $name later so why mess with $_SESSION['name'] every time :)

 

True! but the key words ...I've used...

 

I dont do it without quotes anymore.

 

but...lol we hevent really helped the topic starter out really, we are off in our own little circle, not unless he gave up and stopped reading our posts

Link to comment
Share on other sites

Okay thanks guys. ^_^

 

Lastly, does this work (I don't feel like starting a new topic):

 

<?php
/* Codes not shown */
$sql = mysql_query("SELECT * FROM member");
// pulling database info directly using $sql
$name = $sql['name'];
/* Codes not shown */
?>

Link to comment
Share on other sites

Nope, but close

 

<?php
/* Codes not shown */

/* make a request SQL*/
$sql = mysql_query("SELECT * FROM member");

// pulling database info directly using $sql
$row = mysql_fetch_assoc($sql); //edit pesky ;
//display the data
$name = $row['name'];
echo $name;
/* Codes not shown */
?>

Link to comment
Share on other sites

Nope, but close

 

<?php
/* Codes not shown */

/* make a request SQL*/
$sql = mysql_query("SELECT * FROM member");

// pulling database info directly using $sql
$row = mysql_fetch_assoc($sql); //edit pesky ;
//display the data
$name = $row['name'];
echo $name;
/* Codes not shown */
?>

 

to add to that you can also use:

 

/* make a request SQL*/

$sql = mysql_query("SELECT * FROM member");

 

// pulling database info directly using $sql

$row = mysql_fetch_array($sql); //edit pesky ;

//display the data

$name = $row['name'];

echo $name;

 

 

mysql_fetch_assoc and mysql_fetch_array are basically the same thing

Link to comment
Share on other sites

Oh darn!  :D

 

Thanks MadTechie.

 

Speaking of the quotes, do I have to use the curly braces ({}) everytime I put them in strings?

 

Like this too:

<?php

/* codes not shown */

if (sha1($_SESSION['pass']) == $sql['password']) header("Location: {$_SESSION['name']}");

/* codes not shown*/

?>

Link to comment
Share on other sites

No their 3 options started above,

 

options are

 

use either

1.

$sql = mysql_query("SELECT * FROM member WHERE name='{$_SESSION['name']}'") or die(mysql_error());

or

2.

$sql = mysql_query("SELECT * FROM member WHERE name='".$_SESSION['name']."'") or die(mysql_error());

 

or

3.

$name = $_SESSION['name'];
$sql = mysql_query("SELECT * FROM member WHERE name='$name' ") or die(mysql_error());

 

All do the same thing if you plan to use it alot in the current script then use the third option

 

find the one that you find works best

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.