Why does this request have.?

Question

Why does this request have.?

I want to know why the following query appears. and "in." $ _ POST ['date']. ", Etc.

$query = "INSERT INTO eventcal ('eventDate','eventTitle','eventContent','user',
'user_id') VALUES('".$_POST['date']."','".addslashes($_POST['eventTitle'])."',
'".addslashes($_POST['eventContent'])."')";

If I move on to the next, will there be any differences?

VALUES('$_POST['date']','addslashes($_POST['eventTitle'])',
'addslashes($_POST['eventContent'])')

Thanks in advance.

+3

php

shin Jan 19 '10 at 7:07

source share

4 answers

Doug neiner · Answer 1 · 2010-01-19T07:12:25+0000

This is a form of PHP concatenation (quotation marks mark the end of lines). In JavaScript and many other languages, this is a character +that combines.

echo "hello" . " " . "world!"; // Outputs 'hello world'

Yes, this change will drastically change its meaning.

Finally, it is open to a serious SQL injection attack because it datefailed to escape.

Always clear your entry and use parameterized queries if possible.

Andrew Hare · Answer 2 · 2010-01-19T07:10:51+0000

"" PHP . , addslashes , , , , PHP .

Ignacio Vazquez-Abrams · Answer 3 · 2010-01-19T07:12:54+0000

Single quotes inhibit variable interpolation, and single quotes used in the array index terminate the string.

Also, use a library that supports query parameterization instead of adding values this way.

Rowo · Answer 4 · 2010-01-19T07:10:49+0000

Yes, only variables are parsed in double quotes, which means that your functions will not be executed in the second block of code.

Why does this request have.?

More articles: