Comments on: You Suck At Programming And I Hate You: Things NEVER To Do In PHP & SQL http://www.htmlist.com/development/you-suck-at-programming-and-i-hate-you-things-never-to-do-in-php-sql/ A Web Development Blog by Synapse Studios Sun, 05 Feb 2012 02:47:42 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Eric Muyser http://www.htmlist.com/development/you-suck-at-programming-and-i-hate-you-things-never-to-do-in-php-sql/comment-page-1/#comment-570 Eric Muyser Sun, 23 May 2010 14:57:00 +0000 http://www.htmlist.com/?p=94#comment-570 Output Methods Alternative: $html = <<< EOH any HTML allowed herer EOH; Output Methods Alternative:

$html = <<< EOH

any HTML allowed herer

EOH;

]]> By: Dom http://www.htmlist.com/development/you-suck-at-programming-and-i-hate-you-things-never-to-do-in-php-sql/comment-page-1/#comment-180 Dom Fri, 14 Nov 2008 11:18:42 +0000 http://www.htmlist.com/?p=94#comment-180 When I edited php for the first time ever, even I had the common sense to put the html code outside the php tags. When I edited php for the first time ever, even I had the common sense to put the html code outside the php tags.

]]> By: David Bernal http://www.htmlist.com/development/you-suck-at-programming-and-i-hate-you-things-never-to-do-in-php-sql/comment-page-1/#comment-121 David Bernal Mon, 04 Aug 2008 18:12:35 +0000 http://www.htmlist.com/?p=94#comment-121 Nate: I do actually mention mysql_real_escape_string, which is like mysql_escape_string, but it takes into account the current character set. TWD: That is another good option for formatting your queries. Personally, I find concatenating and using single-quotes easier to read, but that's more of a style thing. A third option would be to use sprintf. Nate:
I do actually mention mysql_real_escape_string, which is like mysql_escape_string, but it takes into account the current character set.

TWD:
That is another good option for formatting your queries. Personally, I find concatenating and using single-quotes easier to read, but that’s more of a style thing. A third option would be to use sprintf.

]]> By: TWD http://www.htmlist.com/development/you-suck-at-programming-and-i-hate-you-things-never-to-do-in-php-sql/comment-page-1/#comment-120 TWD Sun, 03 Aug 2008 16:33:36 +0000 http://www.htmlist.com/?p=94#comment-120 Here’s another tip that I see a lot that drives me absolutely nuts: Unnecessarily concatenated strings. PHP provide many great ways to include variables into strings. I would have written your query this way: mysql_query(”INSERT INTO schools VALUES(’{$busId}’, ‘{$busname}’, ‘{$name}’, ‘{$address}’, ‘{$city}’)”); Here’s another tip that I see a lot that drives me absolutely nuts: Unnecessarily concatenated strings. PHP provide many great ways to include variables into strings. I would have written your query this way:

mysql_query(”INSERT INTO schools VALUES(’{$busId}’, ‘{$busname}’, ‘{$name}’, ‘{$address}’, ‘{$city}’)”);

]]> By: Nate True http://www.htmlist.com/development/you-suck-at-programming-and-i-hate-you-things-never-to-do-in-php-sql/comment-page-1/#comment-118 Nate True Sun, 03 Aug 2008 03:56:22 +0000 http://www.htmlist.com/?p=94#comment-118 You forgot to tell them to use mysql_escape_string in their queries. Without that you're vulnerable to injection attacks. (also, magic quotes are a horrible abomination of a security crutch) You forgot to tell them to use mysql_escape_string in their queries. Without that you’re vulnerable to injection attacks.

(also, magic quotes are a horrible abomination of a security crutch)

]]>