TalkPHP - View Single Post

Wildhoney · 09-17-2007, 10:07 AM

Aside from the enormous comments! I've never really been a big fan of the following code:

PHP Code:


			
$this->data = $this->db->query("SELECT `u_id`, `username`, `password`, `registerdate`, `registerip` FROM `MEMBER_TABLE` WHERE `u_id` = '".$u_id."'")->fetch();

Where you concatenate a variable in to the SQL statement itself. Especially when it's an ID and you've placed quotes around it. I know many individuals take precaution here and place the quotes around to prevent any SQL errors for if someone should manage to inject a string into it - but there should be absolutely no way they should get the chance to.

I've always been a huge advocate of sprintf. You may enjoy reading the p if you haven't done so already.

All in all though your code looks pretty clean to me. Easy to understand as well which is always a big plus!

09-17-2007, 10:07 AM	#4 (permalink)
Wildhoney La Vida es Sueño Join Date: Sep 2007 Location: Oldham Posts: 2,280 Thanks: 90	Aside from the enormous comments! I've never really been a big fan of the following code: PHP Code: $this->data = $this->db->query("SELECT `u_id`, `username`, `password`, `registerdate`, `registerip` FROM `MEMBER_TABLE` WHERE `u_id` = '".$u_id."'")->fetch(); Where you concatenate a variable in to the SQL statement itself. Especially when it's an ID and you've placed quotes around it. I know many individuals take precaution here and place the quotes around to prevent any SQL errors for if someone should manage to inject a string into it - but there should be absolutely no way they should get the chance to. I've always been a huge advocate of sprintf. You may enjoy reading the p if you haven't done so already. All in all though your code looks pretty clean to me. Easy to understand as well which is always a big plus! __________________ The man who comes back through the Door in the Wall will never be quite the same as the man who went out.