making it readable

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • zorgi
    Recognized Expert Contributor
    • Mar 2008
    • 431
    #1

    making it readable

    I have a problem that is not so much of programming nature as it is of practical. Have a look at this code sample:
    [PHP]
    $conn = mysql_connect(" localhost", "root", "");
    mysql_select_db ('buldog', $conn);
    $sql = "INSERT INTO tb(cpanel_user_ name, cpanel_password , joomla_user_nam e, joomla_password , url) VALUES(\"".$_PO ST['c_username']."\", \"".$_POST['c_password']."\", \"".$_POST['joomla_usernam e']."\", \"".$_POST['joomla_passwor d']."\", \"".$_POST['url']."\")";
    $result = mysql_query($sq l, $conn) or die(mysql_error ());

    [/PHP]

    Line 3 of the code is my problem. If I have to go over the code like that for whatever reason ... well it's real pain. Does anybody know better way of doing this or am I just suppose to stand the pain working with code like this one?

    Thanks
    Tags: None
    • Markus
      Recognized Expert Expert
      • Jun 2007
      • 6092
      #2
      Have a look at this hotter, sexier method.
      [php]
      $_insert =
      "INSERT INTO
      `table_name`
      (row_1, row_2, row_3, row_4)
      VALUES
      ('{$_var1}', '{$_var2}', '{$_var3}', '{$_var4}')";
      [/php]
      That's how i lay my queries out :)

        Comment

        • zorgi
          Recognized Expert Contributor
          • Mar 2008
          • 431
          #3
          Originally posted by markusn00b
          Have a look at this hotter, sexier method.
          [php]
          $_insert =
          "INSERT INTO
          `table_name`
          (row_1, row_2, row_3, row_4)
          VALUES
          ('{$_var1}', '{$_var2}', '{$_var3}', '{$_var4}')";
          [/php]
          That's how i lay my queries out :)

          Sweet :) Thank you markusn00b

            Comment

            • ronverdonk
              Recognized Expert Specialist
              • Jul 2006
              • 4259
              #4
              You are almost BEGGING to be hacked or to have your database put upside down. First rule: never, ever, trust any input from outside, ANY outside!
              So you need to sanitize the $_POST parms with at least a strip_tags() function.
              Because you have to do that it is easier to build a structured statement like:
              [php]
              $u =strip_tags($_P OST['c_username']);
              $p =strip_tags($_P OST['c_password']);
              $ju=strip_tags( $_POST['joomla_usernam e']);
              $jp=strip_tags( $_POST['joomla_passwor d']);
              $u =strip_tags($_P OST['url']);

              $sql = "INSERT INTO tb
              (cpanel_user_na me, cpanel_password , joomla_user_nam e, joomla_password , url)
              VALUES('$u', '$p', '$ju', '$jp', '$u')";
              [/php]Ronald

                Comment

                • zorgi
                  Recognized Expert Contributor
                  • Mar 2008
                  • 431
                  #5
                  Originally posted by ronverdonk
                  You are almost BEGGING to be hacked or to have your database put upside down. First rule: never, ever, trust any input from outside, ANY outside!
                  So you need to sanitize the $_POST parms with at least a strip_tags() function.
                  Because you have to do that it is easier to build a structured statement like:
                  [php]
                  $u =strip_tags($_P OST['c_username']);
                  $p =strip_tags($_P OST['c_password']);
                  $ju=strip_tags( $_POST['joomla_usernam e']);
                  $jp=strip_tags( $_POST['joomla_passwor d']);
                  $u =strip_tags($_P OST['url']);

                  $sql = "INSERT INTO tb
                  (cpanel_user_na me, cpanel_password , joomla_user_nam e, joomla_password , url)
                  VALUES('$u', '$p', '$ju', '$jp', '$u')";
                  [/php]Ronald
                  Thank you ronverdonk. Will rewrite my code. I have seen things like this:

                  [PHP]@$u = $_POST['c_username'];[/PHP]

                  What is this '@' about?

                    Comment

                    • ronverdonk
                      Recognized Expert Specialist
                      • Jul 2006
                      • 4259
                      #6
                      Originally posted by zorgi
                      Thank you ronverdonk. Will rewrite my code. I have seen things like this:

                      [PHP]@$u = $_POST['c_username'];[/PHP]

                      What is this '@' about?
                      Literally it means that, when prepended to an expression in PHP, any error messages that might be generated by that expression will be ignored.

                      Do not use this too often or you might miss error messages that are important.

                      See also error control operators in the php documentaion.

                      Ronald

                        Comment

                        Previous template Next
                        Working...