Rahul Sitaram Johari wrote:
My Apologies Everyone! I gave you all the wrong code Twice!! A pox on me - I
tell you!
This is the ACTUAL code that I'm working with - and it's not working:
<?php
//Add Record Function
if($_POST['Submit']) {
$db = mysql_connect("localhost","usr","pwd");
mysql_select_db("thedb",$db) or die("Critical Error :".mysql_error());
$WHEN = date(mdyHi);
$WHAT = $_POST['WHAT'];
$WHO = $_POST['WHO'];
echo "<SPAN CLASS='BlackText'>$WHEN, $WHAT, $WHO</SPAN><br>";
$sql = "INSERT INTO tbl (WHEN, WHAT, WHO) VALUES
('$WHEN','$WHAT','$WHO')";
$result = mysql_query($sql) or die("Fatal Error :".mysql_error());
echo "<span class='SmallText'><EM><STRONG>~: message sent
:~</STRONG></EM></span><BR><BR>";
}
?>
Please disregard the previous code I sent. Thank you!
On 3/29/07 10:10 AM, "Rahul Sitaram Johari" <sleepwalker@xxxxxxxxxxxxxxxx>
wrote:
Ave,
Does anyone know what I¹m doing wrong?
<?php
//Add Record Function
if($_POST['Submit']) {
$db = mysql_connect("localhost","usr","pwd");
mysql_select_db("thedb",$db) or die("Critical Error :".mysql_error());
$WHEN = date(mdyHi);
$WHAT = $_POST['WHAT'];
$WHO = $_POST['WHO'];
echo "<SPAN CLASS='BlackText'>$WHEN, $WHAT, $WHO</SPAN><br>";
mysql_query("INSERT INTO tbl (WHEN, WHAT, WHO) VALUES
('$WHEN','$WHAT','$WHO')";
You'll want to fix this still - even with the field name change.
Why? Try submitting something with a quote in it.
Use mysql_real_escape_string:
$query = "INSERT INTO tbl(blah, blah, blah) VALUES('" .
mysql_real_escape_string($when) . "', '" .
mysql_real_escape_string($what) . "', '" .
mysql_real_escape_string($who) . "')";
mysql_query($query);
See http://php.net/mysql_real_escape_string and
http://phpsec.org/projects/guide/3.html
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
