On 03/08/10 23:04, Paul_S_Johnson@xxxxxxxxxxxxxxxx wrote:
Yes, I may have mixed up the input and output from different iterations of
running it. Let me try posting this again although it may not be an issue.
Once again if I enter two sequential apostrophes in the name (O''Brien)
the INSERT passes right through to MySQL without an error.
THE INPUT:
$sql_insert_registration = sprintf("INSERT INTO
Registrations (
Class_ID,
prid,
Registrant,
Company,
Phone,
Email
)
VALUES (
$_POST[Class_ID],
^^^^^^ needs a mysql_real_escape_string or validation to make sure it's
an integer
$_POST[prid],
^^^^^^ needs a mysql_real_escape_string or validation to make sure it's
an integer
'%s',".
^^^^^^ has a mysql_real_escape_string, but it's the only one.
parseNull($_POST['Company']).",
Without knowing what this function does, it's hard to say what this needs.
'$_POST[Phone]',
^^^^^^ needs a mysql_real_escape_string
'$_POST[Email]'
^^^^^^ needs a mysql_real_escape_string
)", mysql_real_escape_string($_POST['Registrant']));
This has already all been pointed out previously.
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
