frijole Posted February 26, 2008 Share Posted February 26, 2008 I am confused as to what the neccesary components of the query below are. I understand everything except the '".$_POST['username']."' is that really neccesary? And, if so I would love to know why. //Check if username already exists... $q2 = mysql_query("SELECT * FROM `members` WHERE `username` = '".$_POST['username']."'"); $q3 = mysql_fetch_object($q2); if($q3->username == $_POST['username']) { die('<BR><BR>Sorry, but the username "'.$q3->username.'" is taken, please choose another.'); } Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted February 27, 2008 Share Posted February 27, 2008 Closing the quoted string and concatenating a variable and then reopening the quoted string is one way of placing variables into a string, but results in a lot of posts in help forums with syntax errors due to keeping all the . ' and " straight. An alternative is to surround any php variable inside of a double-quoted string with {} (only necessary if the variable is an array, but makes regular variables stand out and always work) - query("SELECT * FROM `members` WHERE `username` = '{$_POST['username']}'"); Quote Link to comment Share on other sites More sharing options...
frijole Posted February 27, 2008 Author Share Posted February 27, 2008 thank you. that makes much more sense to me. Quote Link to comment Share on other sites More sharing options...
Barand Posted February 27, 2008 Share Posted February 27, 2008 Let's take them bit by bit. $_POST['username'] If you use $_POST[username] then the processor thinks username is a defined constant so it will search for the definition. When it doesn't find a definition it will (correctly) assume it is a literal string value 'username'. You have now wasted the time to search for the definition because you didn't use $_POST['username'] in the first place. Always quote strings used as an array index. "... WHERE `username` = '".$_POST['username']."'" If $_POST['username'] contains 'frijole' then this reads as "... WHERE `username` = 'frijole' " Without '..' round frijole it will assume it is a column name and not a string value. Always quote string values in SQL queries. Numeric values can be quoted, but it isn't required. FROM `members` WHERE `username` The backticks tell SQL it is a table or column name. These are only necessary if a ) the column/table name contains spaces (`user name`) which should be avoided anyway b ) the column/table name is a reserved MySQL word, such as `desc` (again, avoid them). Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.