TalkPHP - View Single Post

SOCK · 03-22-2008, 07:07 PM

I agree with maZtah; I prefer style #1, which keeps the SQL statement separate from the actual query call. If you need to look at the query or data embedded in it, it's simple to display the SQL statement by itself. If it's trapped within a function call (or worse, a couple of function calls), troubleshooting why the data isn't coming out the other end becomes exponentially more difficult. You wind up having to dissect into several pieces anyway.

Using sprintf() is also a good way to go, but don't rely on it alone to protect your database from SQL injection. Parameterized queries are also useful, if your database interface extension provides them.

03-22-2008, 07:07 PM	#8 (permalink)
SOCK The Acquainted Join Date: Nov 2007 Posts: 154 Thanks: 31	I agree with maZtah; I prefer style #1, which keeps the SQL statement separate from the actual query call. If you need to look at the query or data embedded in it, it's simple to display the SQL statement by itself. If it's trapped within a function call (or worse, a couple of function calls), troubleshooting why the data isn't coming out the other end becomes exponentially more difficult. You wind up having to dissect into several pieces anyway. Using sprintf() is also a good way to go, but don't rely on it alone to protect your database from SQL injection. Parameterized queries are also useful, if your database interface extension provides them. __________________ I reject your reality, and substitute my own.