[prog] Re: Placeholders (was MySQL connections from PHP files...)

Gareth Anderson somecsstudent at gmail.com
Tue May 3 19:53:05 EST 2005


Jacinta wrote:
"...the database driver will do the required quoting.  Some databases
use double tick '' to represent a single literal quote.  By leaving it
to the database driver, you don't have to worry about that kind of
thing."

Now it all makes sense :)
I was looking for the PHP programming to have the quoting there and
couldn't work it out, its all clicked now.

When placeholders are used the driver doesn't say to the database
"execute this bit of SQL verbatim thanks", instead it says "you know
that statement with placeholders I just gave you?  the first bit of
data is this, and the second bit is this...."

Thats a very handy idea :P

Unfortunately I am using PHP 4.3.x as dictated by my assignment, I
will however add the placeholder information to my final report
(thanks so much!).

Also, to the person asking about doing this in PHP 4.3.x
You *could* use a function like the one I'm using (the quoteSmart
function as found in the PHP manual), but you need to remember to
always use it before you pass the database values inputted by the
user. Otherwise you have a SQL injection security hole

Too bad I can't use those placeholders, but I'm glad I know about
them, thanks to everyone for explaining now I have another question
(but thats another email).

Regards,
Gareth


More information about the Programming mailing list