Re: [PHP] What is wrong with this INSERT?

Fri, 30 Mar 2007 05:56:52 -0800 

A definite improvement!!

Thanks!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rahul Sitaram Johari
CEO, Twenty Four Seventy Nine Inc.

W: http://www.rahulsjohari.com
E: [EMAIL PROTECTED]

³I morti non sono piu soli ... The dead are no longer lonely²



On 3/29/07 7:31 PM, "Chris" <[EMAIL PROTECTED]> wrote:

> Rahul Sitaram Johari wrote:
>> My Apologies Everyone! I gave you all the wrong code Twice!! A pox on me - I
>> tell you!
>> 
>> This is the ACTUAL code that I'm working with - and it's not working:
>> 
>>     <?php
>>     //Add Record Function
>>     if($_POST['Submit']) {
>>     $db = mysql_connect("localhost","usr","pwd");
>>     mysql_select_db("thedb",$db) or die("Critical Error :".mysql_error());
>>     $WHEN = date(mdyHi);
>>     $WHAT = $_POST['WHAT'];
>>     $WHO = $_POST['WHO'];
>>     echo "<SPAN CLASS='BlackText'>$WHEN, $WHAT, $WHO</SPAN><br>";
>>                 
>>     $sql = "INSERT INTO tbl  (WHEN, WHAT, WHO) VALUES
>> ('$WHEN','$WHAT','$WHO')";
>>     $result = mysql_query($sql) or die("Fatal Error :".mysql_error());
>>     echo "<span class='SmallText'><EM><STRONG>~: message sent
>> :~</STRONG></EM></span><BR><BR>";
>>     }
>>     ?>
>> 
>> Please disregard the previous code I sent. Thank you!
>> 
>> 
>> On 3/29/07 10:10 AM, "Rahul Sitaram Johari" <[EMAIL PROTECTED]>
>> wrote:
>> 
>>> Ave,
>>> 
>>> Does anyone know what I¹m doing wrong?
>>> 
>>>     <?php
>>>     //Add Record Function
>>>     if($_POST['Submit']) {
>>>     $db = mysql_connect("localhost","usr","pwd");
>>>     mysql_select_db("thedb",$db) or die("Critical Error :".mysql_error());
>>>     $WHEN = date(mdyHi);
>>>     $WHAT = $_POST['WHAT'];
>>>     $WHO = $_POST['WHO'];
>>>     echo "<SPAN CLASS='BlackText'>$WHEN, $WHAT, $WHO</SPAN><br>";
>>>                
>>>     mysql_query("INSERT INTO tbl (WHEN, WHAT, WHO) VALUES
>>> ('$WHEN','$WHAT','$WHO')";
> 
> You'll want to fix this still - even with the field name change.
> 
> Why? Try submitting something with a quote in it.
> 
> Use mysql_real_escape_string:
> 
> $query = "INSERT INTO tbl(blah, blah, blah) VALUES('" .
> mysql_real_escape_string($when) . "', '" .
> mysql_real_escape_string($what) . "', '" .
> mysql_real_escape_string($who) . "')";
> 
> mysql_query($query);
> 
> See http://php.net/mysql_real_escape_string and
> http://phpsec.org/projects/guide/3.html

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to