Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
What would be more professional and error proof approach with simple mysql not PDO or anything
I usually do like this
$sql_request = "SELECT *
FROM myusers
WHERE user_id = {$user_id}
AND email = '{$email_address}'
LIMIT 0,1";
However should i quote {$user_id} as well?
Even when i get user input i dont quote numbers, however i do check ctype_digit() before processing them.
I would strongly suggest to be carefull when quoting numerical values – here is what happened to me: An optimized, often-run query produced insane amounts of IO and quite some CPU laod:
with the selectivity being some 100 rows out of millions. I checked the execution plan: lo and behold, full table scan on the driving table. I checked the index on
foo(intcolumn)again and again, even dropped and recreated it, no luck. Query time was in the minutes.took less than 0.1 seconds. For some reason, MySQL had chosen to cast all
foo.intcolumntoVARCHARand then do a string compare to'17'. Ofcourse this included ignoring the index.I don’t know, if I hit an exotic bug in an old version of MySQL, bu I surely took away one thing: Make sure, the parser knows, what data type I intend to use. This ofocurse can be tricky with quoted numerals.