Dot notations 2

[DaSe]

Hi guys,
Could you explain please why there's a needto put the dots before and after the $_GET['movie_id'] in this case. In second case I guess they are to avoid double quotations that are assigned to html tags ? Thanks for any comments.

----------------------------------------------------------
$movie_query = "SELECT
*
FROM
movie
WHERE
movie_id ='".$_GET['movie_id']."'";
---------------------------------------------------------

else{
$font_color ='blue';
$profit_or_loss = "Broke even";
}
return "<font color='$font_color'>".$profit_or_loss."</font>";
}
------------------------------------------------------------

 

[feherke]

Hi

There are two string operators. The first is the concatenation operator ('.'), which returns the concatenation of its right and left arguments. The second is the concatenating assignment operator ('.='), which appends the argument on the right side to the argument on the left side.

PHP | Language Reference | Operators | String Operators

Feherke.

http://free.rootshell.be/~feherke/

 

[DaSe]

Thanks , yes I know they mean but could you explain their role further in this specific piece of code ? The code doesn't execute without the dots. Thank you.

( movie_id ='".$_GET['movie_id']."'"; )

 

[feherke]

Hi

If you put two integers one beside the other like this, will work ?

[navy]$result[/navy][teal]=[/teal][purple]4[/purple] [purple]2[/purple][teal];[/teal]

Or if you put an integer beside a variable like this, will work ?

[navy]$result[/navy][teal]=[/teal][purple]4[/purple] [navy]$_GET[/navy][teal][[/teal][green][i]'movie_id'[/i][/green][teal]];[/teal]

Then putting a string beside a variable like this, why should work ?

[navy]$result[/navy][teal]=[/teal][green][i]"SQL statement here"[/i][/green] [navy]$_GET[/navy][teal][[/teal][green][i]'movie_id'[/i][/green][teal]];[/teal]

In your code fragment there are 3 values, why should happen anything with them if you not specify the operator ?

[navy]$movie_query[/navy] [teal]=[/teal] [highlight #fcc][green][i]"SELECT[/i][/green]
[green][i]               *[/i][/green]
[green][i]         FROM[/i][/green]
[green][i]                 movie[/i][/green]
[green][i]         WHERE[/i][/green]
[green][i]                  movie_id ='"[/i][/green][/highlight][teal].[/teal][highlight #cfc][navy]$_GET[/navy][teal][[/teal][green][i]'movie_id'[/i][/green][teal]][/teal][/highlight][teal].[/teal][highlight #ccf][green][i]"'"[/i][/green][/highlight][teal];[/teal]

Feherke.

http://free.rootshell.be/~feherke/

 

[DaSe]

Maxi thanks feherke. Of course that makes sense !

 

[ingresman]

It might be worthwhile pointing out that using _$GET() directly is a bad idea for several reasons. For example you make the assumption that (in your example) movie_id has been specified in the querystring and is a valid data type. In your example movie_id looks like it might be an integer, if I supply a string it will upset the query execution and cause your web page to fail. so you might actualy test the value to see if it exists and is it a valid integer.
Second one is a bad user could potentialy put some malicicous code in your querystring e.g.

?movie_id=1234';drop table movie

which but must unexpected (that might not work directly but fiddling about with quotes might get it to work). What I intend it to do is close of the select and then issue a second query to drop your table. Fair enough I would need to understand the internals of your code but the point is valid.
we have had debates on this forum on how much detail to give to a post and if we should expand the question. Looking at your original question about the use of the . concatanation operator, I thought you might like a bit more of a nudge into what might be considered good practice.

 

[DaSe]

Sure. Thanks Ingresman for expanding the topic.Interesting, I'll try to focus more on it.