/    Sign up×
Community /Pin to ProfileBookmark

MySQL Input Statement

Copy linkTweet thisAlerts:
Jul 05.2010

Something is going on with my MySQL Input statement. Sometimes is works, other times not. I confirmed the variables are being passed from the form, but I can’t figure out what’s going on. Any help would be appreciated. Thanks.

<?PHP
$cust_id = $_POST[“cust_id”]; $fname = $_POST[“fname”]; $lname = $_POST[“lname”]; $address = $_POST[“address”]; $city = $_POST[“city”]; $state = $_POST[“state”]; $zip = $_POST[“zip”];

$item = $_POST[“item”]; $descr = $_POST[“descr”]; $quantity = $_POST[“quantity”]; $price = $_POST[“price”]; $comments = $_POST[“comments”];

echo “$cust_id, $fname, $lname, $address, $city, $state, $zip”;

$link = mysql_connect(“localhost”, “rr_steve”, “2222”) or die (“Access To DB Error”);
mysql_select_db(“rr_test”, $link) or die (“DB not selected”);

$gen=”INSERT INTO general (ID, FName, LName, Address, City, State) VALUES (‘$cust_id’,’$fname’,’$lname’,’$address’,’$city’,’$state’)”;
mysql_query($gen) or die (“general table Data Not Entered”);

$pur=”INSERT INTO Purchasing (ID, Item, Description, Quantity, Price, Comments) VALUES (‘$cust_id’,’$item’,’$descr’,’$quantity’,’$price’,’$comments’)”;
mysql_query($pur) or die (“Purchasing Data Not Entered”);

echo “<div align=center><h2>Customer Data Entered Successfully</h2></div>”;
?>

to post a comment
PHP

2 Comments(s)

Copy linkTweet thisAlerts:
@MindzaiJul 05.2010 — It's likely because you are not escaping any user input and so certain characters will break your query. Have a look at the mysql_real_escape_string() function. As a bonus, fixing this will also close the gaping security hole you currently have which allows attackers to perform SQL injection attacks ?
Copy linkTweet thisAlerts:
@webphotogeekauthorJul 05.2010 — OK, I added the mysql_real_escape_string() function, but I am not that familiar with it, so I don't know if my syntax is correct. Here's what I have now:

$gen="INSERT INTO general(ID, FName, LName, Address, City, State) VALUES ('mysql_real_escape_string($cust_id)','mysql_real_escape_string($fname)','mysql_real_escape_string($lname)','mysql_real_escape_string($address)','mysql_real_escape_string($city)','mysql_real_escape_string($state)')";

mysql_query($gen) or die ("general table Data Not Entered");

$pur="INSERT INTO Purchasing (ID, Item, Description, Quantity, Price, Comments) VALUES ('mysql_real_escape_string($cust_id)','mysql_real_escape_string($item)','mysql_real_escape_string($descr)','mysql_real_escape_string($quantity)','mysql_real_escape_string($price)','mysql_real_escape_string($comments)')";

mysql_query($pur) or die ("Purchasing Data Not Entered");
×

Success!

Help @webphotogeek spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 6.17,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @nearjob,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,
)...