Injecting two queries into two different tables in mysql

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Injecting two queries into two different tables in mysql

Post by Celauran »

Yes, you'll want to escape everything you're putting into the database. I recommend validation as well.

mysql_real_escape_string()
User avatar
Supplement
Forum Commoner
Posts: 45
Joined: Thu Aug 18, 2011 8:52 pm
Location: Oceanside, CA

Re: Injecting two queries into two different tables in mysql

Post by Supplement »

I am validating everything already, so just the escaping needs to be done...

Code: Select all

$sql=" mysql_escape_string() INSERT INTO affus (Cards, NoCards, User, Pass, hmnumber, BusinessType, Ctry, Company, addr1, City, State, zip, wknumber, wkfax, Fname, lname, Email, Email2)
VALUES
('$_POST[Cards]','$_POST[NoCards]','$_POST[User]','$_POST[Pass]','$_POST[hmnumber]','$_POST[BusinessType]','$_POST[Ctry]','$_POST[Company]','$_POST[addr1]','$_POST[City]','$_POST[State]','$_POST[zip]','$_POST[wknumber]','$_POST[wkfax]','$_POST[Fname]','$_POST[lname]','$_POST[email]','$_POST[Email2]')";


$sql_1=" mysql_escape_string() INSERT INTO usup (username, password)
VALUES('$_POST[User]','$_POST[Pass]')";

is that correct?
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Injecting two queries into two different tables in mysql

Post by Celauran »

No. You need to escape each variable.

Code: Select all

foreach ($_POST as $k => $v)
{
  $_POST[$k] = mysql_real_escape_string($v);
}
User avatar
Supplement
Forum Commoner
Posts: 45
Joined: Thu Aug 18, 2011 8:52 pm
Location: Oceanside, CA

Re: Injecting two queries into two different tables in mysql

Post by Supplement »

Does it matter if it goes at the beg. or end?
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Injecting two queries into two different tables in mysql

Post by Celauran »

It has to go before your query.
User avatar
Supplement
Forum Commoner
Posts: 45
Joined: Thu Aug 18, 2011 8:52 pm
Location: Oceanside, CA

Re: Injecting two queries into two different tables in mysql

Post by Supplement »

$sql_1="INSERT INTO membs (username, password)
VALUES mysql_real_escape_string('$_POST[User]','$_POST[Pass]')"; mysql_query($sql_1);



This should work, no?
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Injecting two queries into two different tables in mysql

Post by Celauran »

No.

Code: Select all

foreach ($_POST as $k => $v)
{
  $_POST[$k] = mysql_real_escape_string($v);
}

$sql = "INSERT INTO blah blah whatever...";
Post Reply