Okay, I will buy your strong recommening.
I found some of my coding practice is bad.
I like to improve my coding practice especially in my new project. .
By the way,
I found the code below doesnât work correctly.
$sql=("INSERT INTO test ( name)
VALUES ( '$_SERVER[HTTP_REFERER] ') ");Instead of the code above, is the code below Okay?
$SERVER_HTTP_REFERER = $_SERVER[HTTP_REFERER];
$sql=("INSERT INTO test ( name)
VALUES ( '$SERVER_HTTP_REFERER') ");Please edit your post and start and finish the script with three backticks on a single line because the editor has removed some characters.
I am on the way of editing it. but itâs not easy to do.
What does it mean by âbackticksâ?
A backtick character is usually the top left key on American keyboards and is a single quite mark facing backwards.
Alternatively highlight the script and use the forum post shortcut </> which is at the top of the editor post box.
If this explanation is not clear then search for backtick.
I fixed it.
1 Like
Thus is what I meant:
// BAD
$SERVER_HTTP_REFERER = $_SERVER[HTTP_REFERER];
$sql=("INSERT INTO test ( name)
VALUES ( '$SERVER_HTTP_REFERER') ");
// GOOD
$SERVER_HTTP_REFERER = $_SERVER['HTTP_REFERER'];
$sql = "INSERT INTO test ( `name` )
VALUES (" . $SERVER_HTTP_REFERER .')';
// BETTER
$sql = 'INSERT INTO test ( `name` )
VALUES (' .$_SERVER['HTTP_REFERER'] . ')';
Edit:
There is a big difference in using single and double quotes containing variables.
I far prefer to use single quotes when enclosing strings then concatenating variables because it seems far less confusing.
Unfortunately it is neither good, nor better. You need to use Prepared Statements. Variables have no business in a query whatsoever and creating variables for nothing is never a good idea.
1 Like
I was just trying to solve the Post #22 âBy the way, I found the code below doesnât work correctly.â
I agree that inserting variables can cause security problems which Prepared Statements overcomes. I find there is an abundance of poor and outdated information on MySql and also MySqli which because âit is on the Internet so it must be trueâ. It is not easy when starting to know what is best 
Perhaps the next PHP version will drop MySqli and only allow PDO or as an intermediate measure raise warnings.
I figured it was something like that. I know you know to use Prepared Statements. 
I would fully support dropping Mysqli. I think Php8 would be a great place to do that.
1 Like
Yeah iâm really looking forward for all the new tutorials containing
$pdo->query('select * from foo where id = $_GET["bar"]');
LOL
1 Like
Simple enoughâŚ
PHP 8 Proposed SpecâŚ
$pdo->query('select * from foo where id = $_GET["bar"]');
Parse error: syntax error, unexpected $ in /home/sumuser/sumproject/somefile.php on line 15
1 Like
I donât doubt it will happen.
At least it will be easier to steer them in the right direction from that, instead of having to remember (look up) mysqli syntax that you havnât used in years.
Interesting idea, though donât know if itâs just me, but I will confess to using variables in queries. Never user input, but sometimes variables set explicitly in the script, away from outside interference.
1 Like
That is the one case you could be OK doing it, but for the sake of consistency I would say âneverâ do it.
Is there already an RFC on that?
Not that I know of. That would be my proposal.
Didnât expect someone here to take this seriouslyâŚ
After a few years of why is my script telling "undefined function mysqli_something..."
Wouldnât matter, as the query is enclosed in single-quotes, so wouldnât be parsed for variable names anyway. Probably.