Okay, all of that discussion of predefined variables was well and good.
I'm going through my code and changing everything over to use
$_*['variablename'].
The problem is that a good deal of my code consists of MySQL query
statements with variables inside those statements. An example:
$sql = "SELECT table.column FROM table WHERE criteria LIKE $variable";
You can see where I'm going with this.
Experiments of mine with using array elements within SQL statements
brought some of my questioning to the list just last week. I found that
the following did not work:
$sql = "SELECT table.column FROM table WHERE criteria LIKE
$myrow['variable']";
So the logical solution, suggested by several on the list, would be to
create a new variable that would contain the array element:
$variable = $myrow['variable'];
$sql = "SELECT table.column FROM table WHERE criteria LIKE $variable";
This is fine. But won't this contradict the whole point of using the
new predefined variables/arrays? Now someone could pass "variable=1"
along the querystring and start changing the way my page is intended to
work. Or is that what register_globals=Off does -- it disables the
ability for a $_GET variable to be considered a $_POST variable, etc?
Nevermind, i think I just answered my own question.
So which is the preferred (least work) method of changing over the old
code,
$variable = $_POST['variable'];
$sql = "SELECT table.column FROM table WHERE criteria LIKE $variable";
or
$sql = "SELECT table.column FROM table WHERE criteria LIKE
${_POST['variable']}";
I was hoping someone could set me straight before I go off and awk these
sitewide changes....
Erik
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
