MySQL nerds: Halp!

[GilloD]

So I just started a little MySQL/PHP project for work. It's kind of a fun thing, I've never attempted it before and I'm STUCK. There's an HTML form that POSTs to a PHP script that punts it to MySQL. However, I got a prob with this chunk of code:

Code: [Select]

mysql_query("INSERT INTO promotrack (distributor, retailer, broker)
VALUES ('$_POST['distrib']','$_POST['retail']','$_POST['broke']') ")
If I were to do

Code: [Select]

mysql_query("INSERT INTO promotrack (distributor, retailer, broker)
VALUES ('Steve','Joe','Hank') ")
I'd be fine. Specifically the error is:

Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /var/www/vhosts/asilenttreatment.org/httpdocs/php/AshDB/createrecord.php on line 94

I tried loading it into a variable and doing it that way, blah blah. I'm sure this is a bone head 101 mistake, but I need HALP!

[GilloD]

HA DURR. Fixed

The ' ' inside the POST was making it think I was trying to post the string of the variable blah blahsdg fdl;jkfl;ds

[demi]

edit: nevermind you fixed it

[Bocsius]

In general, though, it's a bad idea to take post data and insert it directly into a SQL statement without type-checking (for non-string values) or at the minimum escaping single quotes (for strings). But I'm sure you knew that, right? SQL Injection attacks aren't fun.

[GilloD]

In general, though, it's a bad idea to take post data and insert it directly into a SQL statement without type-checking (for non-string values) or at the minimum escaping single quotes (for strings). But I'm sure you knew that, right? SQL Injection attacks aren't fun.

This is how I was doing it orginially, but then at w3schools they did it this way. I know I should be more cautious, but this DB will have all of 2 users and maybe, at most, a lifetime high of like 300 records.