Best way to perform a SQL

felipe_lopes

Hi there guys!!

Lets say I get a $_POST['name'] from a form and I will search my database...
I'm currently doing the following:

$result = sqlite_query("SELECT * FROM foo WHERE name='$_POST[name]'");

I don feel like it is the better way to do it, so Im here to ask how you guys do it?

Roger_Ramjet


$sql = "SELECT * FROM foo WHERE name='$_POST[name]'";

// while in development
$result = sqlite_query($sql) or die($sql . '<br />' . mysql_error());

// when it goes live

$result = @sqlite_query($sql);

bubblenut

... and to prevent sql injection

$sql="SELECT * FROM foo WHERE name='".addslashes($_POST['name']).'"';

... and to reduce the data sent from the database

$sql="SELECT just, the, fields, you, want FROM foo WHERE name='".addslashes($_POST['name'])."'";

Oh, and Rojer, I'm not sure how much mysql_error() is going to do when using sqlite :rolleyes: 😉

Roger_Ramjet

Oh, and Rojer, I'm not sure how much mysql_error() is going to do when using sqlite

not a lot I should think. not that I know anything about sqlite. still it got the ball rolling for felipe.