[thelist] MySQL/PHP Associative Array Insert
Mike Migurski
mike at saturn5.com
Sat Feb 1 15:27:01 CST 2003
>> If you are using complex variables such as associative arrays in a
>> string you can enclose them with curly braces in order to get PHP to
>> parse them.
>
>It's even better to not use double quotes (because php will note
>evaluate what is inside simple quote, usefull for very long string) like
>this :
>
>$str='here are some values of an associative array:'.$assocArr['one'].',
>'.{$assocArr['foo']}.', '.{$assocArr['bar']}.'.';
This is probably a good time to reintroduce last month's SQL security
advice. I think it comes up pretty regularly here?
If there is any chance that a user may have control over the variables
that are being passed to your queries, for example if they are being
passed from a GET or POST request, make sure to escape any potentially
dangerous characters ahead of time.
The PHP documentation for mysql_escape_string():
http://www.php.net/manual/en/function.mysql-escape-string.php
...provides examples of potential problems and their solutions.
Also, if you find yourself creating abnormally large queries with lots of
external variables, you may find sprintf's syntax a little easier on the
eyes:
$str = sprintf('here are some values of an associative array: %s, %s, %s',
$assocArr['one'],
$assocArr['foo'],
$assocArr['bar']);
---------------------------------------------------------------------
michal migurski- contact info and pgp key:
http://www.saturn5.com/mike/contact.html
"Freedom! Horrible, horrible freedom!"
More information about the thelist
mailing list