Menu
Community /Pin to ProfileBookmark
@NogDogApr 27.2011 — #@NogDogApr 27.2011 — #
I never like to assume that, as many people do not. ?
PS: To the OP, you might want to consider moving up the the MySQL[b]i[/b] extension and use prepared statements, which can help handle this sort of thing if you use bound input parameters.
PHP Form Data Type
I am trying create a form that submits data into a MySQL table. A gutted version of the code is shown below. It works great when I replace the red line with:
[COLOR=”Red”]$query = “INSERT INTO top VALUES ($score, ‘Bob’)”;
so I think there is some problem recognizing the variable $name which is sent from the form as a string compatible with the MySQL table type tinytext
<html>
<head>
<?php
//data String
$name = $_POST[“name”];
$score = (int)$
?>
</head>
<body>
<?php
—Code Removed—
[COLOR=”Red”]$query = “INSERT INTO top VALUES ($score, $name)”;
mysql_query($query);
?>
</body>
</html>
Thanks in Advance,
Alex
Sign in
to post a comment5 Comments(s) ↴
0
@NogDogApr 27.2011 — #[code=php]
$query = sprintf(
"INSERT INTO top VALUES (%d, '%s')"; // quote string literal in SQL
(int) $score, // force to be integer
mysql_real_escape_string($name) // escape problematic SQL characters
);
[/code]0
@NogDogApr 27.2011 — #Good plan, i assumed the rest of his code (he said it was a stripped down version) had incorporated for SQL injection like...[/QUOTE]
I never like to assume that, as many people do not. ?
PS: To the OP, you might want to consider moving up the the MySQL[b]i[/b] extension and use prepared statements, which can help handle this sort of thing if you use bound input parameters.