Notation for using a $POST value with WHERE

Validation aside what’s the proper notation for using a $POST value (or any other array value) in this mysql query?

FROM table
WHERE addr =  $POST['addr_clear'] 

$addr_clear = $_POST['addr_clear'];
$sql = "SELECT * 
WHERE addr = '". $addr_clear ."'";

assuming you would use a POST value within a query without first validating but you already know that :wink:

That’s the way I’ve always done it; with a variable. I’m just trying to decide whether mysql allows a array’s index? If if it does, what’s the notation for using it? I thought I tried all the notation possibilities. Maybe not. I’d just like to know if it’s possible, what’s the correct notation. I understand it’s not best practice.

Just the same as if you were using a variable and escaping as I have done in the example.
The array index would work the same as the variable.



Never use a $_POST variable for anything other than as input to a validation function.

It is the variable that contains the validated value that you would use in the actual processing (such as a database query).

If you don’t then all anyone need do is to enter an appropriate value in the field to get a dump of your entire database content.

All they’d need to do is to enter " or 1=1; drop table into $addr_clear to both dump the entire content of the table and then delete the entire table.