Can someone explain this to me?

Jermizzle

$connection = mysql_connect($host,$user,$pass) or die ("ERROR:Unable to connect".mysql_error());

mysql_select_db($db) or die ("ERROR: Unable to connect to DB".mysql_error());
function quote_smart($value)
{
    // Stripslashes
    if (get_magic_quotes_gpc()) {
        $value = stripslashes($value);
    }
    // Quote if not integer
    if (!is_numeric($value)) {
        $value = "'" . mysql_real_escape_string($value) . "'";
    }
    return $value;
}

foreach ($_POST as $id => $rating){
    if ($id == 'submit') {
        exit();
    } //exits when it gets to submit
    $update_table =sprintf("
    UPDATE menu
    SET rating = rating + %s
    , number_of_votes = number_of_votes + 1
    WHERE id = %s",
    quote_smart($rating),
    quote_smart($id));
    $result = mysql_query($update_table) or die(mysql_error("Query: ".$update_table." failed"));

}

I have a thread in General Help because i was having problems building my rating system and someone gave a solution with this coding but i do not understand what it is doing. For example where does the %s value come from. I know it outputs the value as a string but from where?
Can someone help.

Thanks

rikmoncur

sprintf

http://uk.php.net/sprintf

Jermizzle

I went there before i made this thread. But still didnt understand it v.well that is why i posted this.

This is what i think it means after reading that info page over and over again.
The rating field is going to be updated with a string (%s) which is going to be the value within $rating.

Is that correct????

If that is correct why dont i just put in $_POST['rating'] if it is going to display a number anyway.

Installer

That statement is equivalent to this:

$update_table = "UPDATE menu 
                 SET rating = rating + " . quote_smart($rating) . ", 
                 number_of_votes = number_of_votes + 1 
                 WHERE id = " . quote_smart($id));

Subsituting $POST['rating'] won't work because the statement is in a loop that enters each element of the $POST array, of which $_POST['rating'] is (apparently) only one, if it exists. So each loop would enter the same value.

rincewind456

If that is correct why dont i just put in $_POST['rating'] if it is going to display a number anyway.

As installer said in this case you shouldn't because you're $_POST is an array, but in any other case you shouldn't.

You cannot guarantee that there is nobody out there that will try an sql injection attack see here for an in depth look at that subject. So you cannot guarantee that a number will be passed to the query, in fact you should have some form of checking to see if the value being passed is in fact an integer, as well as using the quote_smart() function.

Jermizzle

Thanks for the info

Jermz