Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Variable in Query?
Variable in Query?
  • El Forum
    Unregistered
  •  
#5
12-15-2007, 04:08 PM

[eluser]tonanbarbarian[/eluser]
for best speed and security use this
Code:
$query = $this->db->query('SELECT * FROM pages WHERE pageID='.(int)$id);
using single quotes is faster in php because if you use double quotes PHP must search the string for variables to replace which is slower than just concatenating a variable onto the end of the string.
Also casting the variable as an int is the safest thing to do to stop any sort of cross site scripting (i.e. xss)
so even though $this->uri->segment() may do an xss_clean (manual is unclear if this is done or not and I havent checked the code yet) if you cast the variable any malicious value entered will be converted to a number and will not cause any harm

Just my thoughts on best practice


Messages In This Thread
Variable in Query? - by El Forum - 12-15-2007, 12:29 PM
Variable in Query? - by El Forum - 12-15-2007, 02:24 PM
Variable in Query? - by El Forum - 12-15-2007, 02:24 PM
Variable in Query? - by El Forum - 12-15-2007, 02:30 PM
Variable in Query? - by El Forum - 12-15-2007, 04:08 PM
Variable in Query? - by El Forum - 12-15-2007, 04:32 PM



Theme © iAndrew 2016 - Forum software by © MyBB