|
Posted by Jeff on June 24, 2008, 2:38 pm
Please log in for more thread options Peter H. Coffin wrote:
> On Tue, 24 Jun 2008 09:41:29 -0700 (PDT), Pépê wrote:
>> I have a page that inserts these values in the table...
>>
>> $fundo_nome = $_POST['fundo_nome'];
>> $fundo_link = $_POST['fundo_link'];
>> $fundo_activo = $_POST['fundo_activo'];
>>
>> $sql = sprintf("INSERT INTO relatorio_fundo(fundo_nome,
>> fundo_link, fundo_activo) VALUES (%s, %s, %s)",
>> mysql_real_escape_string($fundo_nome),
>> mysql_real_escape_string($fundo_link),
>> mysql_real_escape_string($fundo_activo));
>>
>>
>> THen the error appears...:
>>
>> Invalid query: You have an error in your SQL syntax; check the manual
>> that corresponds to your MySQL server version for the right syntax to
>> use near ' , )' at line 1
>
> It's ultimately going to be a comp.databases.mysql question instead,
> but the FIRST debugging step for this kind of problem is to print out
> what's in $sql before you run the query. If the answer isn't obvious
> from looking at the query, ask on the other newsgroup, showing the
> contents of $sql.
>
This seems like a lot of work and it's still susceptible to a stray
single quote.
What possible advantage does this coding style have over the simpler
PDO with prepare and placeholders?
Jeff
| 
XML Sitemap