Yes, you'll want to escape everything you're putting into the database. I recommend validation as well.
mysql_real_escape_string()
Injecting two queries into two different tables in mysql
Moderator: General Moderators
- Supplement
- Forum Commoner
- Posts: 45
- Joined: Thu Aug 18, 2011 8:52 pm
- Location: Oceanside, CA
Re: Injecting two queries into two different tables in mysql
I am validating everything already, so just the escaping needs to be done...
is that correct?
Code: Select all
$sql=" mysql_escape_string() INSERT INTO affus (Cards, NoCards, User, Pass, hmnumber, BusinessType, Ctry, Company, addr1, City, State, zip, wknumber, wkfax, Fname, lname, Email, Email2)
VALUES
('$_POST[Cards]','$_POST[NoCards]','$_POST[User]','$_POST[Pass]','$_POST[hmnumber]','$_POST[BusinessType]','$_POST[Ctry]','$_POST[Company]','$_POST[addr1]','$_POST[City]','$_POST[State]','$_POST[zip]','$_POST[wknumber]','$_POST[wkfax]','$_POST[Fname]','$_POST[lname]','$_POST[email]','$_POST[Email2]')";
$sql_1=" mysql_escape_string() INSERT INTO usup (username, password)
VALUES('$_POST[User]','$_POST[Pass]')";is that correct?
Re: Injecting two queries into two different tables in mysql
No. You need to escape each variable.
Code: Select all
foreach ($_POST as $k => $v)
{
$_POST[$k] = mysql_real_escape_string($v);
}- Supplement
- Forum Commoner
- Posts: 45
- Joined: Thu Aug 18, 2011 8:52 pm
- Location: Oceanside, CA
Re: Injecting two queries into two different tables in mysql
Does it matter if it goes at the beg. or end?
Re: Injecting two queries into two different tables in mysql
It has to go before your query.
- Supplement
- Forum Commoner
- Posts: 45
- Joined: Thu Aug 18, 2011 8:52 pm
- Location: Oceanside, CA
Re: Injecting two queries into two different tables in mysql
$sql_1="INSERT INTO membs (username, password)
VALUES mysql_real_escape_string('$_POST[User]','$_POST[Pass]')"; mysql_query($sql_1);
This should work, no?
VALUES mysql_real_escape_string('$_POST[User]','$_POST[Pass]')"; mysql_query($sql_1);
This should work, no?
Re: Injecting two queries into two different tables in mysql
No.
Code: Select all
foreach ($_POST as $k => $v)
{
$_POST[$k] = mysql_real_escape_string($v);
}
$sql = "INSERT INTO blah blah whatever...";