Thanks all for your replies. Much appreciated. I have edited the code and
took points into account:
$con = mysql_connect("localhost","ben_test","removed") or die("con");
$db = mysql_select_db("ben_test") or die("db");
$sql1 = mysql_query("INSERT INTO `comments` (`messages`) VALUES
($comments)") or die("insert");
$mysql_query_one = mysql_query("SELECT * FROM `comments`");
while($rows=mysql_fetch_array($mysql_query_one)) {
echo $rows['messages'] . "[br /]";
Okay, the browser outputted "insert" so it has to be something to do with
the insert sql syntax I have added. Not sure if its over-riding the same
content added as before or something.
Any help once again is appreciated.
Thank you,
Ben Stones.
On Jan 3, 2008 3:16 AM, Benjamin Darwin <bddarwin@xxxxxxxxx> wrote:
> Ben:
>
> First, using a $_POST value directly into a MySQL query is EXTREMELY
> unsafe. Always filter data from any source to make sure it's what you
> expect. SQL injection is one of the easiest ways to cause real damage
> to a website. http://en.wikipedia.org/wiki/SQL_injection
>
> Check out this fuction for making the string safe:
> http://us2.php.net/manual/en/function.mysql-real-escape-string.php
> Also, try and strip out any characters that don't belong in the string
> anyway, just as added security.
>
> Good luck learning PHP.
>
> --Another person who happens to be named Ben
>
> I've also put a few edits in the code.
> On Jan 2, 2008 9:57 PM, Ben Stones <bastones@xxxxxxxxxxxxxx> wrote:
> > Hello, my name is Ben Stones. I am quite a beginner to PHP, and as a new
> > years resolution I am going to learn PHP (finally!)
> >
> > Cut to the chase I have created a basic looping script that would
> display
> > anything submitted in a form, on seperate lines; here is the PHP code:
> >
> > $con = mysql_connect("localhost","ben_test","------removed-----") or
> > die("con");
> > $db = mysql_select_db("ben_test") or die("db");
> > mysql_query("CREATE TABLE `comments` (messages varchar(255))");
> > $comments = $_POST['comment'];
> > $sql1 = mysql_query("INSERT INTO `comments` (`messages`) VALUES
> > ($comments)");
> >
> > $mysql_query_one = mysql_query("SELECT * FROM `comments`");
> > while($rows=mysql_fetch_array($mysql_query_one)) {
> > echo $rows['messages'] . "[br /]";
> > }
> >
> > Everything went swell for the first half, and after I truncated the test
> > messages (or everything in the column, if you like), I tried doing one
> more
> > test run and upon clicking 'Submit', nothing would display except the
> > messages I added via phpMyAdmin.
> >
> > Hope someone could help me.
> >
> > PS: The password has been edited out of the preceding code as well as
> the
> > HTML code purposely for the mailing list.
> >
>
