which one to use and why??

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
PHPycho
Forum Contributor
Posts: 336
Joined: Fri Jan 06, 2006 12:37 pm

which one to use and why??

Post by PHPycho »

i used to use following in SQL query

Code: Select all

SELECT * from `profile` WHERE  userid='$_SESSION[userid]'
but i see the following frequently

Code: Select all

SELECT * from `profile` WHERE  userid='".$_SESSION[userid]."'
I am in dilema which one to use and why?
Please clearify me...
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

I wouldn't use any of them... They both misuse the key/index http://be.php.net/manual/en/language.types.array.php

Added a couple of other valuable hints..

Code: Select all

<?php
session_start();

// here we will keep all the data that is ready to be used in a mysql query
// typically we need to perform mysql_real_escape_string on it 
$mysql = array();

// if we were generating html we could have a $html array too
// and we typically perform htmlentities( $value, 'utf-8') on it

// test if the data is available
if (isset($_SESSION['userid'])) {
  // prepare the userid to be used in a mysql query
  mysql['userid'] = mysql_real_escape_string($_SESSION['userid']);
} else {
  // housting we got a problem, trigger_error? 
}

// select only the columns that we need
$query = "SELECT column1, column2 FROM profile WHERE userid='{$mysql['userid']}'";
?>
Post Reply