SitePoint Sponsor

User Tag List

Results 1 to 8 of 8

Hybrid View

  1. #1
    SitePoint Member
    Join Date
    Apr 2009
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Exclamation Adding value from dropdown or textfield to one database field

    Please have a look to the attachment to see what im trying to do.
    Database field= "Age"
    i want that if a user choose date of birth or if he writes his age in text box, the data goes to the fieldname 'Age ' only

    how do i do this?
    PHP Code:
    $insert mysql_query("insert into register (Name,Gender,DOB,Age,TOB,POB) values ('".$_SESSION['Name']."', '".$_SESSION['Gender']."', '".$_SESSION['DateofBirth']."', '".$_SESSION['Age']."', '".$_SESSION['Timeofbirth']."', '".$_SESSION['Placeofbirth']."')

    or die("
    Could not insert data because ".mysql_error()); 
    im a newbie to php/mysql
    please help!

  2. #2
    SitePoint Addict
    Join Date
    Jul 2008
    Posts
    213
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You must start your session. You also forgot the closing double quote at the end in your query. Where do your session values receive their values from? POST?
    To avoid SQL injection you should mysql_real_escape_string in you query as well. See Example 3.

    PHP Code:
    session_start();
    $_SESSION['Name'] = $_POST['Name'];

    $insert mysql_query("INSERT INTO register (Name,Gender,DOB,Age,TOB,POB) VALUES ('".$_SESSION['Name']."', '".$_SESSION['Gender']."', '".$_SESSION['DateofBirth']."', '".$_SESSION['Age']."', '".$_SESSION['Timeofbirth']."', '".$_SESSION['Placeofbirth']."'")
    or die(
    "Could not insert data because ".mysql_error()); 
    If you don't need the values after inserting, you could simply:
    PHP Code:
    $Name $_POST['Name']; 
    and replace the $_SESSION with the variable name.

  3. #3
    SitePoint Addict
    Join Date
    Apr 2009
    Posts
    248
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by spiderling View Post
    You must start your session. You also forgot the closing double quote at the end in your query. Where do your session values receive their values from? POST?
    To avoid SQL injection you should mysql_real_escape_string in you query as well. See Example 3.
    If you want to avoid SQL injection, you should used Parametrized SQL, not string escaping (Well, you should validate your input, amongst which string escaping is useful). It is impossible to inject against a parametrized query. History has shown that escaping strings isn't always as effective.

    </rant>

  4. #4
    SitePoint Addict
    Join Date
    Jul 2008
    Posts
    213
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the info.

    Isn't using sprintf() with mysql_real_escape_string() another form of a parameterized statement as it uses a placeholder, as well as a type specifier and escapes?

  5. #5
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by spiderling View Post
    Thanks for the info.

    Isn't using sprintf() with mysql_real_escape_string() another form of a parameterized statement as it uses a placeholder, as well as a type specifier and escapes?
    Afraid not, the only thing sprintf does is make concatenating queries easy to read, it offers zero protection.
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  6. #6
    SitePoint Addict
    Join Date
    Jul 2008
    Posts
    213
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Is this an ideal example then?
    PHP Code:
    $db = new mysqli("localhost""user""pass""database");
    $stmt $db -> prepare("SELECT priv FROM testUsers WHERE username=? AND password=?");
    $stmt -> bind_param("ss"$user$pass);
    $stmt -> execute(); 
    Does the bind_param itself prevent issues with the user's input or is validation / "filtering" still necessary? I wouldn't feel right not validating / filtering, that's for sure.

  7. #7
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Validation and filtering protects your application, bound parameters and the like protect your database should something get through your validation and filtering.

    It's not and either/or decision.
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  8. #8
    SitePoint Addict
    Join Date
    Jul 2008
    Posts
    213
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •