THE BORE
General => The Superdeep Borehole => Topic started by: GilloD on January 07, 2009, 04:37:52 PM
-
So I just started a little MySQL/PHP project for work. It's kind of a fun thing, I've never attempted it before and I'm STUCK. There's an HTML form that POSTs to a PHP script that punts it to MySQL. However, I got a prob with this chunk of code:
mysql_query("INSERT INTO promotrack (distributor, retailer, broker)
VALUES ('$_POST['distrib']','$_POST['retail']','$_POST['broke']') ")
If I were to do mysql_query("INSERT INTO promotrack (distributor, retailer, broker)
VALUES ('Steve','Joe','Hank') ")
I'd be fine. Specifically the error is:
Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /var/www/vhosts/asilenttreatment.org/httpdocs/php/AshDB/createrecord.php on line 94
I tried loading it into a variable and doing it that way, blah blah. I'm sure this is a bone head 101 mistake, but I need HALP!
-
HA DURR. Fixed :)
The ' ' inside the POST was making it think I was trying to post the string of the variable blah blahsdg fdl;jkfl;ds
-
edit: nevermind you fixed it
-
In general, though, it's a bad idea to take post data and insert it directly into a SQL statement without type-checking (for non-string values) or at the minimum escaping single quotes (for strings). But I'm sure you knew that, right? SQL Injection attacks aren't fun.
-
In general, though, it's a bad idea to take post data and insert it directly into a SQL statement without type-checking (for non-string values) or at the minimum escaping single quotes (for strings). But I'm sure you knew that, right? SQL Injection attacks aren't fun.
This is how I was doing it orginially, but then at w3schools they did it this way. I know I should be more cautious, but this DB will have all of 2 users and maybe, at most, a lifetime high of like 300 records.