|
sponsored links |
|
|
sponsored links
|
|
1
31st May 06:31
External User
Posts: 1
|
Quotes in querys
Maybe try this :
$q = 'Select Netid from Users where Netid = "' . $_SESSION[phpCAS][user] . '"'; |
|
|
|
2
31st May 06:31
External User
Posts: 1
|
Quotes in querys
You can only interpolate ONE level of array or object indirection in a string.
WORKS: "... $foo[x] ..." "... $foo->x ..." FAILS: "... $foo[x][y] ..." "... $foo->x->y ..." //almost for sure it fails, never tried... You can use curly braces in side a string to evaluate something: WORKS: "... {$foo[x][y]} ..." "... {$foo->x->y} ..." [soapbox] I personally think this is possibly the ugliest wart of variable/string interpolation. Not sure how/why it came about, but it makes zero sense, really... [/soapbox] ymmv |
|
|
|
3
31st May 06:31
External User
Posts: 1
|
Quotes in querys
You can only interpolate ONE level of array or object indirection in a string.
WORKS: "... $foo[x] ..." "... $foo->x ..." FAILS: "... $foo[x][y] ..." "... $foo->x->y ..." //almost for sure it fails, never tried... You can use curly braces in side a string to evaluate something: WORKS: "... {$foo[x][y]} ..." "... {$foo->x->y} ..." [soapbox] I personally think this is possibly the ugliest wart of variable/string interpolation. Not sure how/why it came about, but it makes zero sense, really... [/soapbox] ymmv |
|
|
|
4
31st May 09:24
External User
Posts: 1
|
Quotes in querys
Hello,
I am trying to get the following to work: "Select Netid from Users where Netid = '$_SESSION[phpCAS][user]'" Netid is a string type. No matter where of if I put the quotes, I still get array[phpCAS] not the value. If there is anything I still have trouble with after all these years its quoting variables. Help? Thanks Mike |
|
|
|
5
31st May 09:24
External User
Posts: 1
|
Quotes in querys
Mike,
Well to be fair, I don't see any escaping in "Select Netid from Users where Netid = '$_SESSION[phpCAS][user]'". You could write: $sql = sprintf( "Select Netid from Users where Netid = '%s'", mysql_real_escape_string($_SESSION['phpCAS']['user']) ); and not have any of these problems. If you're escaping outside of that statement, then it's potentially tainting your data. |
|
|
|
6
31st May 09:24
External User
Posts: 1
|
Quotes in querys
No, actually I test my querys first and then wrap them in
mysql_real_escape_string(). |
|
|
|
7
31st May 09:24
External User
Posts: 1
|
Quotes in querys
Thanks, Thats the kind of help I was looking for.
Mike |
|
|
|
|
8
31st May 09:24
External User
Posts: 1
|
Quotes in querys
F****ve me if I'm wrong, but:
Caching an execution plan for a prepared statement that is run only once in the script is just overhead, no? Or can it actually re-use the same cached statement from a different connection by some magical matching up of the context??? Doesn't seem like the kind of thing that would be workable, but what do I know? Now if you said "... allows the DB to cold-stop any SQL injection" you'd be 100% right. :-) So MikeP should really consider using prepared statements for that reason, as it lets the DB do the escaping. PS I think MikeP is saying he writes the code once and gets it working, then goes back and adds the escaping in later. This is fine if you ALWAYS remember to do that, but in a frenzy to release under pressure... Bad Idea! |
|
|
|
9
31st May 09:24
External User
Posts: 1
|
Quotes in querys
Doesn't anybody use prepared statements these days? It even helps MySQL AND
Oracle cache an execution plan... -- Kyle Terry | http://www.kyleterry.com |
|
|
|
10
31st May 09:24
External User
Posts: 1
|
Quotes in querys
It is over head, but it caches the execution plan for multiple runs of the
script. So different users with different data will use the same cached query on the database. Saving processing time. It also prevents SQL injection on the fly because you are indicating what data type each place holder will need to accept. -- Kyle Terry | http://www.kyleterry.com |
|
|
Linear Mode
