A definite improvement!! Thanks! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Rahul Sitaram Johari CEO, Twenty Four Seventy Nine Inc. W: http://www.rahulsjohari.com E: sleepwalker@xxxxxxxxxxxxxxxx ³I morti non sono piu soli ... The dead are no longer lonely² On 3/29/07 7:31 PM, "Chris" <dmagick@xxxxxxxxx> wrote: > Rahul Sitaram Johari wrote: >> My Apologies Everyone! I gave you all the wrong code Twice!! A pox on me - I >> tell you! >> >> This is the ACTUAL code that I'm working with - and it's not working: >> >> <?php >> //Add Record Function >> if($_POST['Submit']) { >> $db = mysql_connect("localhost","usr","pwd"); >> mysql_select_db("thedb",$db) or die("Critical Error :".mysql_error()); >> $WHEN = date(mdyHi); >> $WHAT = $_POST['WHAT']; >> $WHO = $_POST['WHO']; >> echo "<SPAN CLASS='BlackText'>$WHEN, $WHAT, $WHO</SPAN><br>"; >> >> $sql = "INSERT INTO tbl (WHEN, WHAT, WHO) VALUES >> ('$WHEN','$WHAT','$WHO')"; >> $result = mysql_query($sql) or die("Fatal Error :".mysql_error()); >> echo "<span class='SmallText'><EM><STRONG>~: message sent >> :~</STRONG></EM></span><BR><BR>"; >> } >> ?> >> >> Please disregard the previous code I sent. Thank you! >> >> >> On 3/29/07 10:10 AM, "Rahul Sitaram Johari" <sleepwalker@xxxxxxxxxxxxxxxx> >> wrote: >> >>> Ave, >>> >>> Does anyone know what I¹m doing wrong? >>> >>> <?php >>> //Add Record Function >>> if($_POST['Submit']) { >>> $db = mysql_connect("localhost","usr","pwd"); >>> mysql_select_db("thedb",$db) or die("Critical Error :".mysql_error()); >>> $WHEN = date(mdyHi); >>> $WHAT = $_POST['WHAT']; >>> $WHO = $_POST['WHO']; >>> echo "<SPAN CLASS='BlackText'>$WHEN, $WHAT, $WHO</SPAN><br>"; >>> >>> mysql_query("INSERT INTO tbl (WHEN, WHAT, WHO) VALUES >>> ('$WHEN','$WHAT','$WHO')"; > > You'll want to fix this still - even with the field name change. > > Why? Try submitting something with a quote in it. > > Use mysql_real_escape_string: > > $query = "INSERT INTO tbl(blah, blah, blah) VALUES('" . > mysql_real_escape_string($when) . "', '" . > mysql_real_escape_string($what) . "', '" . > mysql_real_escape_string($who) . "')"; > > mysql_query($query); > > See http://php.net/mysql_real_escape_string and > http://phpsec.org/projects/guide/3.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php