On 5/26/06, Brad Bonkoski <[EMAIL PROTECTED]> wrote:
Dotan Cohen wrote: > In the php manual: > http://www.php.net/manual/en/function.mysql-real-escape-string.php > > The following method is suggested: > <?php > // Quote variable to make safe > function quote_smart($value) > { > // Stripslashes > if (get_magic_quotes_gpc()) { > $value = stripslashes($value); > } > // Quote if not a number or a numeric string > if (!is_numeric($value)) { > $value = "'" . mysql_real_escape_string($value) . "'"; > } > return $value; > } > > // Connect > $link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password') > OR die(mysql_error()); > > // Make a safe query > $query = sprintf("SELECT * FROM users WHERE user=%s AND password=%s", > quote_smart($_POST['username']), > quote_smart($_POST['password'])); > > mysql_query($query); > ?> > > What is the purpose of the sprintf? If it were using %d on integers I > could see the point, but as we're talking about %s strings, what is > the advantage to using sprintf? How does this differ from: > $query = "SELECT * FROM users WHERE user=".$_POST['username']." AND > password=".$_POST['password']; > > Dotan Cohen > http://linux-apache-mysql-php.org > 23 > Well they are passing the result of the quote_smart function into the string..... so it would be the same as say: $user = quote_smart($_POST['username']); $pass = quote_smart($_POST['pasword']); $query = "select * from users where user=$user and password=$pass"; Your query would not use the quote_smart() function, as well as be wrong it those values were strings.... -Brad
I meant: $query = "SELECT * FROM users WHERE user=".quote_smart($_POST['username'])." AND password=".quote_smart($_POST['password']); The point was, what's the advantage of the sprintf? Dotan Cohen http://what-is-what.com 921
