SitePoint Sponsor

User Tag List

Results 1 to 11 of 11
  1. #1
    SitePoint Zealot
    Join Date
    Aug 2003
    Location
    Singapore
    Posts
    105
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    SQL insert not working

    PHP Code:
    $query 'INSERT INTO `blogentries` VALUES (\'\', '.$_POST['title'].', '.$_POST['post'].', '.$_POST['date'].', '.$_POST['author'].', '.$_POST['mood'].')'
    I'm trying to use the above but am unable to. How do I format the above so that I can use it? Basically I'm trying to insert values of $_POST[] into blogentries. Thanks!

  2. #2
    SitePoint Zealot
    Join Date
    Jan 2005
    Location
    ble
    Posts
    118
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Are you sure you've identified your host name and dbname dbpassword etc. etc.?
    If someone was helpful, give them some 'rep'.

  3. #3
    SitePoint Addict launchcode's Avatar
    Join Date
    Dec 2004
    Location
    Bristol, UK
    Posts
    259
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It scares me more than anything when I see $_POST values inserted directly into SQL statements like this.

    Validate people.. validate!

    I could literally erase your SQL database contents if I wanted.
    Richard Davey

    Launchcode
    PHP Security Guide. Think your scripts are secure? Think again.

  4. #4
    SitePoint Zealot
    Join Date
    Aug 2003
    Location
    Singapore
    Posts
    105
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by launchcode
    It scares me more than anything when I see $_POST values inserted directly into SQL statements like this.

    Validate people.. validate!

    I could literally erase your SQL database contents if I wanted.
    Erm I don't need to, I'm the only one using this script. .htaccess provides password protection.

    Anyway anyone knows the syntax I should be using? I changed all of these to normal variables and they worked fine?

  5. #5
    SitePoint Addict launchcode's Avatar
    Join Date
    Dec 2004
    Location
    Bristol, UK
    Posts
    259
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    $_POST['var'] is a standard variable (well, it's an array element, but you know what I mean).

    So ultimately, if they exist and actually have data in (not that you'll know because you don't even check it.. heh ), there is no difference using them in your script the way you do at the moment than from using a standard variable. Syntax wise your code is correct.
    Richard Davey

    Launchcode
    PHP Security Guide. Think your scripts are secure? Think again.

  6. #6
    Umm. PHP Guru....Naaaah jaswinder_rana's Avatar
    Join Date
    Jul 2004
    Location
    canada
    Posts
    3,193
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    try echoing the query
    echo $query
    and post the result. something might be wrong with the syntax

  7. #7
    SitePoint Evangelist
    Join Date
    Feb 2004
    Location
    Sofia, Bulgaria
    Posts
    421
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by launchcode
    Syntax wise your code is correct.
    don't think so.. you should put quotes around all sting values.. something like this:

    PHP Code:
    $query '
      INSERT INTO `blogentries` VALUES (
        \'\', 
        \''
    .$_POST['title'].'\',
        \''
    .$_POST['post'].'\',
        \''
    .$_POST['date'].'\',
        \''
    .$_POST['author'].'\',
        \''
    .$_POST['mood'].'\'
      )'


  8. #8
    Umm. PHP Guru....Naaaah jaswinder_rana's Avatar
    Join Date
    Jul 2004
    Location
    canada
    Posts
    3,193
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dacool
    don't think so.. you should put quotes around all sting values.. something like this:

    PHP Code:
    $query '
      INSERT INTO `blogentries` VALUES (
        \'\', 
        \''
    .$_POST['title'].'\',
        \''
    .$_POST['post'].'\',
        \''
    .$_POST['date'].'\',
        \''
    .$_POST['author'].'\',
        \''
    .$_POST['mood'].'\'
      )'

    i thought so, that's why i told to echo the query. good observation dacool

  9. #9
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,806
    Mentioned
    158 Post(s)
    Tagged
    3 Thread(s)
    Just how I would do it...
    PHP Code:
    $query "INSERT INTO `blogentries` VALUES ( 
    '"
    .$_POST['title']. "', 
    '"
    .$_POST['post']."', 
    '"
    .$_POST['date']."', 
    '"
    .$_POST['author']."', 
    '"
    .$_POST['mood']."'
    )"

    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  10. #10
    SitePoint Addict launchcode's Avatar
    Join Date
    Dec 2004
    Location
    Bristol, UK
    Posts
    259
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    don't think so.. you should put quotes around all sting values
    Yes of course.. I just saw all those quotes in his original code and figured they were around the vars, but on closer inspection it's just one giant messy string with no quotes at all. Well spotted.
    Richard Davey

    Launchcode
    PHP Security Guide. Think your scripts are secure? Think again.

  11. #11
    SitePoint Zealot
    Join Date
    Aug 2003
    Location
    Singapore
    Posts
    105
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What are the things I need to lookout for, when validating the form? I'm interested to know more about it.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •