Jump to content

can anyone explain the logic of the quotes in this code?

frijole

By frijole
in Application Design

 Share

Recommended Posts

frijole Regular Member

frijole

Posted
Posted

I am confused as to what the neccesary components of the query below are. I understand everything except the '".$_POST['username']."' is that really neccesary? And, if so I would love to know why.

 

 

//Check if username already exists... 
$q2 = mysql_query("SELECT * FROM `members` WHERE `username` = '".$_POST['username']."'");
   $q3 = mysql_fetch_object($q2);
   
    if($q3->username == $_POST['username'])

dbo Member

dbo

Posted
Posted

While the code should be properly validated, sanitized, and finally escaped before being entered into this query (which it presumably is not), this is a pretty basic concept.

 

There is a form with the method of post set. The user fills out the form putting the variables in the post array. The username field is accessed via $_POST['username'] so that it can dynamically create the query string.

stormen81 Newbie

stormen81

Posted
Posted 

<?php
$q2 = mysql_query("SELECT * FROM `members` WHERE `username` = '" . $_POST['username'] . "';");
?>

I do this all the time to help me code and debug faster in Dreamweaver.... I love the color text for all the keywords.

 

but you all so could do:

<?php
$q2 = mysql_query("SELECT * FROM `members` WHERE `username` = '$_POST[username]';");
?>

This does the same thing as the code above.

It is more of a coding preference practice than anything else.

 

Later

Stormen

Xeoncross Member

Xeoncross

Posted
Posted 
<?php

$result = mysql_query("SELECT * FROM `members` WHERE `username` = '".$_POST['username']."'");
$obj = mysql_fetch_object($result);
   
if($obj->username == $_POST['username']) {
    print 'we found a row with the same username as the username in POST!';
} else {
    print 'this could logicly never run';
}


//////////////////////////////////
//This should be used instead:
//////////////////////////////////

//mysql_real_escape_string protects from SQL injections (hacking)
$result = mysql_query('SELECT * FROM `members` WHERE `username` = \''. mysql_real_escape_string($_POST['username']). '\'');

//If we found a matching row
if(mysql_num_rows() > 0) {
    //Get the row as an object
    $obj = mysql_fetch_object($result);
    print 'We found the username <b>'. $obj->username. '</b>';
    
} else {
    print 'Username not found';
}


?>

spikeon Member

spikeon

Posted
Posted

wow... noone answered the damn question...

 

the logic is that php puts strings together with periods.

 

like:

 

$a1 = "i am a ";
$a2 = "big doo doo head";

$a = $a1 . $a2;

 

$a would return "i am a big doo doo head"

 

the logic is that, to make sure EVERYTHING is kosher, you stop the mysql string EXACTLY where the " is, which is right before a ' and put the varible in without adding extra spacing by accident

 

hope thats what you needed.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.