Re: What is wrong with this INSERT?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



A definite improvement!!

Thanks!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rahul Sitaram Johari
CEO, Twenty Four Seventy Nine Inc.

W: http://www.rahulsjohari.com
E: sleepwalker@xxxxxxxxxxxxxxxx

³I morti non sono piu soli ... The dead are no longer lonely²



On 3/29/07 7:31 PM, "Chris" <dmagick@xxxxxxxxx> wrote:

> Rahul Sitaram Johari wrote:
>> My Apologies Everyone! I gave you all the wrong code Twice!! A pox on me - I
>> tell you!
>> 
>> This is the ACTUAL code that I'm working with - and it's not working:
>> 
>>     <?php
>>     //Add Record Function
>>     if($_POST['Submit']) {
>>     $db = mysql_connect("localhost","usr","pwd");
>>     mysql_select_db("thedb",$db) or die("Critical Error :".mysql_error());
>>     $WHEN = date(mdyHi);
>>     $WHAT = $_POST['WHAT'];
>>     $WHO = $_POST['WHO'];
>>     echo "<SPAN CLASS='BlackText'>$WHEN, $WHAT, $WHO</SPAN><br>";
>>                 
>>     $sql = "INSERT INTO tbl  (WHEN, WHAT, WHO) VALUES
>> ('$WHEN','$WHAT','$WHO')";
>>     $result = mysql_query($sql) or die("Fatal Error :".mysql_error());
>>     echo "<span class='SmallText'><EM><STRONG>~: message sent
>> :~</STRONG></EM></span><BR><BR>";
>>     }
>>     ?>
>> 
>> Please disregard the previous code I sent. Thank you!
>> 
>> 
>> On 3/29/07 10:10 AM, "Rahul Sitaram Johari" <sleepwalker@xxxxxxxxxxxxxxxx>
>> wrote:
>> 
>>> Ave,
>>> 
>>> Does anyone know what I¹m doing wrong?
>>> 
>>>     <?php
>>>     //Add Record Function
>>>     if($_POST['Submit']) {
>>>     $db = mysql_connect("localhost","usr","pwd");
>>>     mysql_select_db("thedb",$db) or die("Critical Error :".mysql_error());
>>>     $WHEN = date(mdyHi);
>>>     $WHAT = $_POST['WHAT'];
>>>     $WHO = $_POST['WHO'];
>>>     echo "<SPAN CLASS='BlackText'>$WHEN, $WHAT, $WHO</SPAN><br>";
>>>                
>>>     mysql_query("INSERT INTO tbl (WHEN, WHAT, WHO) VALUES
>>> ('$WHEN','$WHAT','$WHO')";
> 
> You'll want to fix this still - even with the field name change.
> 
> Why? Try submitting something with a quote in it.
> 
> Use mysql_real_escape_string:
> 
> $query = "INSERT INTO tbl(blah, blah, blah) VALUES('" .
> mysql_real_escape_string($when) . "', '" .
> mysql_real_escape_string($what) . "', '" .
> mysql_real_escape_string($who) . "')";
> 
> mysql_query($query);
> 
> See http://php.net/mysql_real_escape_string and
> http://phpsec.org/projects/guide/3.html

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux