Page 2 of 2

Re: Difficulty posting array data

Posted: Fri Jun 24, 2011 12:18 pm
by digdigdig
Ok, this works. (Ya-hoo!)

However, I'm wondering if i need to add the escape sequence at the bottom after the last else statement as well?

Code: Select all

//inserting records
$Insert=sprintf("INSERT INTO formdata(FirstName, LastName, Email, Status, Date, Source)
VALUES
('FirstName','LastName','Email','Status','Date','Source')",
mysql_real_escape_string($_POST['FirstName']),
mysql_real_escape_string($_POST['LastName']),
mysql_real_escape_string($_POST['Email']),
mysql_real_escape_string($_POST['Status']),
mysql_real_escape_string($_POST['Date']),
mysql_real_escape_string($_POST['Source'])
);
 $error = 0;
if(isset($_POST['Status'])){
    if($_POST['Status'] == 'Other'){
        if(isset($_POST['Other']) && trim($_POST['Other']) != ''){
            $status = $_POST['Other'];
        } else {
            $error++;
            echo "Please fill out the 'Other' box.<br />";
        }
    } else {
        $status = $_POST['Status'];
    }
} else {
    $error++;
    echo "Please select a 'Status'.<br />";
}
if($error){
    echo "<br />There were $error error".($error>1?'s':'').".";
} else {
$Insert="INSERT INTO formdata(FirstName, LastName, Email, Status, Date, Source)
    VALUES
    ('".$_POST['FirstName']."','".$_POST['LastName']."','".$_POST['Email']."','".$status."',Now(),'".$_POST['Source']."')"; 
}  
if(!mysql_query($Insert,$dbc)){
	die('Error: '.mysql_error ());
	}


Re: Difficulty posting array data

Posted: Fri Jun 24, 2011 2:41 pm
by pickle
Absolutely everywhere. You should never make a query with unescaped $_POST elements.

Re: Difficulty posting array data

Posted: Fri Jun 24, 2011 2:49 pm
by digdigdig
Thanks! I'll add it to the end.

Have a great weekend......

Re: Difficulty posting array data

Posted: Fri Jun 24, 2011 3:31 pm
by Idri
Just out of interest; Why are you preparing your query twice? You're preparing it both at the top and the bottom, though at the bottom you're overwriting the one from the top. Replace the current bottom one with the one you have at the top :)

Also, I don't know if you've tested it but the current way you're using sprintf will end up giving you hardcoded input (namely FirstName, LastName etc). An easy way to show you is by using printf (same as sprintf, but prints its value rather than returning it as a variable). Just copy-paste the following to see what I mean.

Code: Select all

printf("The cup is filled with water", "coffee");
// Result: The cup is filled with water
printf("The cup is filled with %s", "coffee");
// Result: The cup is filled with coffee 
As you can see, you can use %s as a temporary placeholder for a variable which you add later on.
(%s is a type specifier, there's more than just %s though, you can check up on them over at the manual (PHP.net - Sprintf), just search for type specifier)
If you're using more than 1 variable, the placeholders get their values in the order you place the variables.

Code: Select all

printf("The %s is filled with %s", "cup", "coffee");
// Result: The cup is filled with coffee