Page 2 of 2
Re: Injecting two queries into two different tables in mysql
Posted: Fri Nov 04, 2011 7:17 pm
by Celauran
Yes, you'll want to escape everything you're putting into the database. I recommend validation as well.
mysql_real_escape_string()
Re: Injecting two queries into two different tables in mysql
Posted: Fri Nov 04, 2011 7:51 pm
by Supplement
I am validating everything already, so just the escaping needs to be done...
Code: Select all
$sql=" mysql_escape_string() INSERT INTO affus (Cards, NoCards, User, Pass, hmnumber, BusinessType, Ctry, Company, addr1, City, State, zip, wknumber, wkfax, Fname, lname, Email, Email2)
VALUES
('$_POST[Cards]','$_POST[NoCards]','$_POST[User]','$_POST[Pass]','$_POST[hmnumber]','$_POST[BusinessType]','$_POST[Ctry]','$_POST[Company]','$_POST[addr1]','$_POST[City]','$_POST[State]','$_POST[zip]','$_POST[wknumber]','$_POST[wkfax]','$_POST[Fname]','$_POST[lname]','$_POST[email]','$_POST[Email2]')";
$sql_1=" mysql_escape_string() INSERT INTO usup (username, password)
VALUES('$_POST[User]','$_POST[Pass]')";
is that correct?
Re: Injecting two queries into two different tables in mysql
Posted: Fri Nov 04, 2011 8:13 pm
by Celauran
No. You need to escape each variable.
Code: Select all
foreach ($_POST as $k => $v)
{
$_POST[$k] = mysql_real_escape_string($v);
}
Re: Injecting two queries into two different tables in mysql
Posted: Fri Nov 04, 2011 8:43 pm
by Supplement
Does it matter if it goes at the beg. or end?
Re: Injecting two queries into two different tables in mysql
Posted: Fri Nov 04, 2011 8:44 pm
by Celauran
It has to go before your query.
Re: Injecting two queries into two different tables in mysql
Posted: Sun Nov 06, 2011 4:41 pm
by Supplement
$sql_1="INSERT INTO membs (username, password)
VALUES mysql_real_escape_string('$_POST[User]','$_POST[Pass]')"; mysql_query($sql_1);
This should work, no?
Re: Injecting two queries into two different tables in mysql
Posted: Sun Nov 06, 2011 8:58 pm
by Celauran
No.
Code: Select all
foreach ($_POST as $k => $v)
{
$_POST[$k] = mysql_real_escape_string($v);
}
$sql = "INSERT INTO blah blah whatever...";