$sql = "Update table set Nikename= ' {$nikename} ' where userid={$userid}";
$sql =sprintf ("Update table set Nikename= '%s ' where userid=%d", $nikename, $userid)
Reply to discussion (solution)
I don't know, it feels like PHP is very hot now.
I'm going to have to quote you first.
Mysql_real_escape_string ($nikename)
Mysql_real_escape_string ($userid)
In the second way,%d can determine that $userid must be a number, not a string.
PHP is learning, can't read
$sql =mysql_query ("Update ulist set name= ' $name ' where id= $id");
I usually write that. Do not know what the difference between the landlord.
The habit is the first to write directly to SQL, the second is to encapsulate the time.
The 2nd way of writing is much clearer than the 1th, even without the need for a memo
In terms of operational efficiency, the two are about the same.
$nikename = "Test ';d elete ...";
$sql = "Update table set Nikename= ' {$nikename} ' where userid={$userid}";
Var_dump ($sql);
The two methods are similar, the first kind of habit. But both of these need to filter the data, otherwise there is an injection.
Decisive PDO ...
$sql = "Update table set Nikename= ' {$nikename} ' where userid={$userid}";
Advantages: Intuitive. The speed should be slightly faster than the second type.
Cons: SQL injection risk.
$sql =sprintf ("Update table set Nikename= '%s ' where userid=%d", $nikename, $userid)
Pros: Intuitive and mandatory userid is numeric.
Cons: SQL injection risk.
I usually use the first kind.
Efficiency well, I guess the first one is faster.
The second kind I haven't seen. I'm kind of ignorant.
In fact, I have been the second (not for several years of PHP project), this month to a company to say the first kind of good, can't think of a good ask a question to write PHP time long brothers and sisters
Just getting started.
Programmers familiar with C must be accustomed to the second kind of
Indicates that the first form of writing has been 、、、、、
Individuals feel that the first is faster than the second,
Even if it's just a little bit,
After all, the second way is to pass a function to format the string,
Let's take echo and print,
Books have mentioned that the former is more efficient than the latter,
The latter will return a value and the former will not,
Of course, the PHP documentation doesn't mention this,
Besides, you're using sprintf now,
Maybe your company feels the same way, right?
and will using mysqli stmt better than sprintf?
Mysqli stmt seems safer and reads clearly.
Purely personal opinion, I am also a novice, haha ...