In this thread (<!-- m --><a class="postlink" href="http://www.htmlforums.com/showthread.php?s=&threadid=41144">http://www.htmlforums.com/showthread.ph ... adid=41144</a><!-- m -->) forlamp says that for security reasons, "always use 's to encompas user input values, even if they are numerical"
What would the need be for quoting numerical data?No idea, I must admit I never do.I think he means that even if you expect numerical user input, still use mysql_escape_string() etc.so it really wouldn't apply if you do regexp's on the #'s to verify them first?
Something like this:if(!preg_match('/^\d{1,7}(\d{1,2}|\d\.\d|\.[\d]{1,2})?$/', $price_per_unit)){
fillInError('The Price per Unit is invalid.');
return false;
exit;
}I have had instances where this didn't work
insert into table (id,col1,col2) values ('',2,'something')
the 2 would not go in. I also had instances where this wouldn't work either
"select id from table where id = 2"
can't explain it but I always use ' on my values numeric or not.I can't recall any time where MySQL hasn't inserted none quoted values. Although in this light I will start doing this
thanksOk, real quick...What all SHOULD be quoted (to avoid any "possible" errors) Should I quote the table name? All values that are inserted should be, but also values that are in the where statement (WHERE id=2 should be WHERE id='2')? What about column names?
mysql_query("SELECT 'id','name' WHERE id='2'") or die(mysql_error());
//does that look correct?the only time I quote column/table names is if they are 2 words. then you should be using backticks instead of quotes.
my rule of thumb, if it doesn't have more than one word and it is before the where statment it doesn't get quoted. if it is after the where statemnet I quotes it. numeric or not.
and no, that will error out as you have quotes in places it may not like.
What would the need be for quoting numerical data?No idea, I must admit I never do.I think he means that even if you expect numerical user input, still use mysql_escape_string() etc.so it really wouldn't apply if you do regexp's on the #'s to verify them first?
Something like this:if(!preg_match('/^\d{1,7}(\d{1,2}|\d\.\d|\.[\d]{1,2})?$/', $price_per_unit)){
fillInError('The Price per Unit is invalid.');
return false;
exit;
}I have had instances where this didn't work
insert into table (id,col1,col2) values ('',2,'something')
the 2 would not go in. I also had instances where this wouldn't work either
"select id from table where id = 2"
can't explain it but I always use ' on my values numeric or not.I can't recall any time where MySQL hasn't inserted none quoted values. Although in this light I will start doing this
thanksOk, real quick...What all SHOULD be quoted (to avoid any "possible" errors) Should I quote the table name? All values that are inserted should be, but also values that are in the where statement (WHERE id=2 should be WHERE id='2')? What about column names?mysql_query("SELECT 'id','name' WHERE id='2'") or die(mysql_error());
//does that look correct?the only time I quote column/table names is if they are 2 words. then you should be using backticks instead of quotes.
my rule of thumb, if it doesn't have more than one word and it is before the where statment it doesn't get quoted. if it is after the where statemnet I quotes it. numeric or not.
and no, that will error out as you have quotes in places it may not like.