Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 90
  • Last Modified:

I don't this this is a correct way of commenting out some SQL in PHP. Agree or disagree...?

I'm working on some code that has potentially several things amiss, but this is something I found and I want some other eyes on it. I don't know if this is a dealbreaker, but tell me what you think:

Here's the function as it looks currently...

function checkStatementWorthy($accountid){
    $sql = "select Account.* from Account (nolock)
    JOIN Practice (nolock) on Practice.Practiceid = Account.PracticeID
    Join Client (nolock) on Client.Clientid = Practice.ClientID
    Where dbo.ufn_AccountCurrentBalance(Account.AccountID) > 0
    --and Client.ClientStatusCode not in ('HD', 'ST')
    and Account.Accountid = $accountid";
	echo $sql;
    return pconnectdb($sql);
  }

Open in new window


Notice the line that is prefaced with "--." Now, I understand that works fine in MSSQL Studio, but after testing it with some other scenarios, it doesn't resonate in PHP as a "comment." Rather, it produces an error.

If I'm correct, I may very well be regarded as a hero in the workplace for figuring this puppy out.

Let me know if I need to get my cape...
0
brucegust
Asked:
brucegust
3 Solutions
 
Marco GasiFreelancerCommented:
Lol. In php you cn comment a line by preceeding it with a double slash so it is not so different.
I suspect you are not using an IDE or a good editor with syntax highlighting because if you did you would see immediately if a line is comment or code
I personally like and use Netbeans IDE
comments in Netbeans IDEIn my color scheme comments are in grey and you can recognize them immediately and easily.
0
 
zephyr_hex (Megan)DeveloperCommented:
In PHP-land, the query is just a string.  The "comment out" does not comment anything out in PHP-land in this case because PHP is not evaluating the string.  It's just assigning it to a variable.  PHP passes the string to SQL, and SQL will see "--" as a comment.  However... I'd be careful with this approach because it's not abundantly clear where the comment out terminates.   In fact, I believe SQL will ignore everything after the "--", including what looks like the next line in PHP.  The string doesn't contain carriage returns, if you look at in via var_dump:

sql

 Using "/*  stuff to comment out */ " would be a clearer approach.
And I don't see any errors being thrown in PHP in that string (there is an error with undefined function pconnectdb(), but I suspect that's because I'm only looking at a snippet)
0
 
Dave BaldwinFixer of ProblemsCommented:
I would never send an SQL string with a 'comment' in PHP.  There is just no reason to do that.  You can always save that info elsewhere in a PHP comment if you need it.  

And you never know what the drivers are going to do with it.  The database drivers in PHP don't just pass on the string in a lot of cases.  They read it and may parse it to make it conform to whatever the communication requirements are.
0
 
brucegustAuthor Commented:
See, here's the thing:

      $querystate = "select * from email_header
      where id>3
      order by header_name
      ";

That works.

This, however...

      $querystate = "select * from email_header
      where id>3
      --order by header_name
      ";

...doesn't even fire.

I think that what I'm looking is a scenario where someone who's more in tune with T-SQL and MSSQL Studio was attempting to pop the hood on this page and made, what they thought was, an incremental edit, not knowing that it had the potential to be a dealbreaker.

Thanks!
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now