Suppose your form has some fields and some are just can be simply left blank by the user to be filled on later.
How do you guys handle it before handling it to your SQL query?
I’m still quite new to PHP and here’s how I did it.
function checkVAR( $str )
{
$val = htmlentities( $_REQUEST[$str] , ENT_QUOTES , "UTF-8" );
if ( $val == "" )
return "NULL";
return "'" . $val . "'";
}
So later on my query
$query = "INSERT INTO tblName ( idCol , col2 , col3 ) " .
"VALUES (" . checkVAR('idcol') . "," . checkVAR('col2') . "," . checkVAR('col3') . ");"
I find my method to still quite tedious I wonder if there are other better ways of handling this kind of situation. This function of mine does not do well on returning numbers so I had a separate function that does the quite the same except that it return 0 instead of null.
First, you should not be encoding HTML characters before you input data into the database. What happens if you want that data to be sent via some non-HTML means of display? It is probably gonna look like gobbledy gook. You should be, at the very least, escaping string data and ensuring numeric data types are cast to the appropriate types. Better yet would be to use prepared statements.
I’m going to assume that you’re properly using the mysqli extension because the older
mysql_*API has been deprecated. You are using the improved extension, right? Right? Ok!However, I would probably look at using prepared statements