PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Moderator: General Moderators
volka
DevNet Evangelist
Posts: 8391 Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger
Post
by volka » Mon Jan 01, 2007 2:49 pm
ole wrote: You realize you are setting city field to the literal string '{$_POST['Philadelphia']}' .
Its not using the value in $_POST.
No, {$_POST['Philadelphia']} gets substituted
Code: Select all
$_POST = array('Philadelphia'=>'xyz');
echo "UPDATE table SET city ='{$_POST['Philadelphia']}' WHERE id='1'";prints
UPDATE table SET city ='xyz' WHERE id='1'
But there might be another issue:
sql injections
Ollie Saunders
DevNet Master
Posts: 3179 Joined: Tue May 24, 2005 6:01 pm
Location: UK
Post
by Ollie Saunders » Mon Jan 01, 2007 3:45 pm
The dollar is escaped:
Code: Select all
$pairs[] = "$name ='{\$_POST['" . mysql_real_escape_string($value) . "']}'";
volka
DevNet Evangelist
Posts: 8391 Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger
Post
by volka » Mon Jan 01, 2007 4:04 pm
Ah ok, I thought you responded to
psurrena wrote: The code right now ends up being this:
Code: Select all
"UPDATE table SET city ='{$_POST['Philadelphia']}' WHERE id='1'"
which seems right to me.