-3

I am wondering about the safe or correct way to pass a $variable to a query. I am new to PHP thats why I am asking such beginner question. Here is the example one and two, which one is correct and safer because of symbols?

Example one:

//here is the line I am asking about. The $identification
$query = "SELECT * FROM `members` WHERE `username` = '$identification' LIMIT 1";

Example two:

//here is the line I am asking about. The $identification
$query = "SELECT * FROM `members` WHERE `username` = '" . $identification . "' LIMIT 1";

I don't need answers about PHP 4 or 5 or PDO. I just need to know what is correct:

This 

'" . $identification . "'

Or this

'$identification'
nonoyesyes
  • 17
  • 7
  • http://php.net/manual/en/mysqli-stmt.bind-param.php – Alex Apr 18 '15 at 13:29
  • Cannot run php 5 on my shared hosting provider – nonoyesyes Apr 18 '15 at 13:30
  • I can't believe, what is your php version? and who is your hosting provider? – Alex Apr 18 '15 at 13:35
  • 2
    *"Cannot run php 5 on my shared hosting provider"* - You have `mysqli_` code in your question. Guess what; `mysqli_` runs on PHP 5. http://php.net/manual/en/class.mysqli.php – Funk Forty Niner Apr 18 '15 at 13:36
  • Hello Fred. Really? My hosting provider said they run 4.5 or 4 point something. I tried to run a script and it did not worked – nonoyesyes Apr 18 '15 at 13:45
  • could you provide the hosting conpany link please? http://en.wikipedia.org/wiki/MySQL version 5 was released 10 years ago. that means for IT like minimum 2 or 3 generation of hardware/software plarforms past away. where did you find such hoster? – Alex Apr 18 '15 at 13:48
  • It's www.creattiva.cl – nonoyesyes Apr 18 '15 at 13:51
  • LOL ok I will call them to be sure – nonoyesyes Apr 18 '15 at 13:52
  • I edited the question because what I am asking about is something nobody is talking about – nonoyesyes Apr 18 '15 at 13:55
  • https://www.creattiva.cl/hosting-reseller/#fragment-3 *MySQL v4.1.21-standard / Enhanced PHP v4.4.3* run away!!! imho you will meet hundreds issues if they never update software for 10 years – Alex Apr 18 '15 at 13:58
  • Yeah thats correct. Their servers are reall fast anyway and not cheap prices. Quality servers but using old php and they don't want to change – nonoyesyes Apr 18 '15 at 14:05
  • Jeez thats pricy, not sure whether your happy to outsource to another country but i know of at least one thats about the same price as their cheapest plan doing way more and more unlimited. – Adsy2010 Apr 18 '15 at 14:19
  • give me the url I will check it because I really want PHP 5 but in the American continent – nonoyesyes Apr 18 '15 at 14:29

2 Answers2

0

How about

 $query = 
 "SELECT * FROM `members` WHERE `username` = '" . 
 mysql_escape_string($identification) . 
 "' LIMIT 1";

http://php.net/manual/en/function.mysql-escape-string.php

However, mysql_escape_string is deprecated. If you can, you should use mysql_real_escape_string

http://php.net/manual/en/function.mysql-real-escape-string.php

AmmarCSE
  • 28,122
  • 5
  • 36
  • 49
0

I would recommend you to use PDO instead of the mysqli extension (works with php 5.1 and above)

http://code.tutsplus.com/tutorials/why-you-should-be-using-phps-pdo-for-database-access--net-12059

tonka
  • 3,590
  • 3
  • 19
  • 28