using mysql_real_escape_string()? Not sure

[tbobker]

Im trying to use this function when inserting into the database. Its not actually updating or inserting. This is what i have:

PHP Code:

  if($_POST['Submit']){

      $Name=$_POST['Name'];
      $Email=$_POST['Email'];
      $UserName=$_POST['UserName'];
      $pass=md5($_POST['pass']);

      $sql=sprintf("update user set Name='%s', Email'%s',
                    UserName'%s',  Password'%d'",
                    mysql_real_escape_string($Name),
                    mysql_real_escape_string($Email),
                    mysql_real_escape_string($UserName),
                    $pass);

      mysql_query($sql,$con); 


Is this corrent with %s and %d. Im actually a little unsure about these - (wildcards?). I copied this from the php.net site but i am doing something wrong and have no idea what?

[markl999]

You've missed the = signs of some of the fields, i.e you have Name='%s' which is ok but the rest are like Email'%s'

Also always use mysql_error() to help debug problems:
mysql_query($sql,$con) or die(mysql_error());

[tbobker]

Oh bugger, yes thanks.
But what is %s and %d. Im guessing that if you use %s you have used the mysql_real_escape_string() function on a $_POST and %d if you have not?

Are these the only "%" something?

[Tarh]

The '%' symbols having nothing to do with mysql_real_escape_string at all, they deal with sprintf.

Have a look at sprintf() in the PHP manual so you can see what the code is actually doing. %s adds a string to the argument, and %d adds a number.

The statement you are using here is basically the same as concatenation:

PHP Code:

$sql = 'update user set Name=\'' . mysql_real_escape_string($Name) . '\', Email=\'' . mysql_real_escape_string($Email) . '\', Username=\'' . mysql_real_escape_string($Username) . '\', Password=\'' . intval($pass) . '\''; 


[tbobker]

Thanks. Yes sprintf().