Which is the best method?

[dmccabe]

When inserting values in to a database from a POST form is it better to set the POST results to variables or to just use the $_POST['blah'] direct in the SQL statement?

 

ie:

$name = $_POST['name'];
$tel = $_POST['tel'];
$insert = "INSERT INTO `tbl_purchaseorders` (`name`, `tel`) VALUES (`$name`, `$tel`)";
[code]

or

[code]

$insert = "INSERT INTO `tbl_purchaseorders` (`name`,`tel`) VALUES (`$_POST['name']`,`$_POST['tel']`)";

 

?[/code][/code]

[BlueSkyIS]

whichever way you do it, you should wrap the values in mysql_real_escape_string()

[discomatt]

BlueSky is correct about sanitizing te user-inputted variables.

 

As far as your question goes.... assigning the $_POST array to variables is neater, but less efficient. It really doesn't cause a huge performance hit, unless the code is getting executed hundreds of times a second (in a loop, or extremely traffic-heavy environment).

 

Do whatever best suits your needs. It makes for prettier code, but I wouldn't suggest doing it in a loop or traffic-heavy environment.

[dmccabe]

Thanks again, so I how would I use the mysql_real_escape_string() in this instance?

 

Like this:

$insert = "INSERT INTO `tbl_purchaseorders` (`name`,`tel`) VALUES ("mysql_real_escape_string($_POST['name']),mysql_real_escape_string($_POST['tel'])")";

 

like that?

 

[Demonic]

You can't use php function inside the quotes not that I believe  ???

[discomatt]

$name = mysql_real_escape_string($_POST['name']);
$tel = mysql_real_escape_string($_POST['tel']);

$insert = "INSERT INTO `tbl_purchaseorders` (`name`,`tel`) VALUES ('$name', '$tel')"

 

or alternately

 

$insert = "INSERT INTO `tbl_purchaseorders` (`name`,`tel`) VALUES ('". mysql_real_escape_string($_POST['name']) ."', '
". mysql_real_escape_string($_POST['tel']) ."')"