Supose, that you need to insert into table of db row with values $a, $b, $c, the values can be unsafe, name of table is stored in the class performing the operation as constant. It's possible to make query as follows
$query = "INSERT INTO `" . self::TABLE . '` ' .
"(a, b, c) VALUES (" .
. intval(a) .
",'" . mysql_real_escape_string(b) . "'" .
",'" . mysql_real_escape_string(b) . "')";
Here's the question: is there a more elegant way to create a query?
分享 It's called prepared statements, it exists in MySQLi (good) or PDO (better). I'll add the common thing I add in comments for people who use mysql_*:
Please stop writing new code with the ancient
mysql_*functions. They are no longer maintained and community has begun the deprecation process. Instead you should learn about prepared statements and use either PDO or MySQLi. If you care to learn, here is a quite good PDO-related tutorial.
While it is possible to do in mysql_* functions, I highly (really EPICLY) recommend against it.
In PDO, your code would look like this:
$query = "INSERT INTO `" . self::TABLE . "` (a, b, c) VALUES (:a, :b, :c);";
$statement = $db_connection->prepare($query);
$statement->bindParam(":a", $a);
$statement->bindParam(":b", $b);
$statement->bindParam(":c", $c);
$statement->execute();
