[HELP] query string problem, again

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

bla5e wrote:

Code: Select all

mysql_query("INSERT INTO `members` (id, shortname, fullname, age, car, location, state, body, engine, brag, future) VALUES ('', '".$_POST['shortname']."','".$_POST['fullname']."','".$_POST['age']."','".$_POST['car']."','".$_POST['location']."','".$_POST['state']."', '$body', '$engine', '$brag', '$future') or die(mysql_error()");
uh yeah.....

Code: Select all

mysql_query("INSERT INTO `members` (id, shortname, fullname, age, car, location, state, body, engine, brag, future) VALUES ('', '".$_POST['shortname']."','".$_POST['fullname']."','".$_POST['age']."','".$_POST['car']."','".$_POST['location']."','".$_POST['state']."', '$body', '$engine', '$brag', '$future')") or die(mysql_error());
You still haven't posted what one of these failing query strings is... but since you refuse to.. I'll just blurt out what comes naturally: you aren't escaping the $_POST variables you are using, so any garbage in there could potentially screw with the query. You have a really big potential for SQL injection with these lines.
bla5e
Forum Contributor
Posts: 234
Joined: Tue May 25, 2004 4:28 pm

Post by bla5e »

they arent failing.. they both are error free now because i forgot a "

but how do i get both of them to run at 1 time
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

INSERT Syntax wrote:

Code: Select all

INSERT [LOW_PRIORITY | DELAYED | HIGH_PRIORITY] [IGNORE]
    [INTO] tbl_name [(col_name,...)]
    VALUES ({expr | DEFAULT},...),(...),...
    [ ON DUPLICATE KEY UPDATE col_name=expr, ... ]

Or:

INSERT [LOW_PRIORITY | DELAYED | HIGH_PRIORITY] [IGNORE]
    [INTO] tbl_name
    SET col_name={expr | DEFAULT}, ...
    [ ON DUPLICATE KEY UPDATE col_name=expr, ... ]

Or:

INSERT [LOW_PRIORITY | HIGH_PRIORITY] [IGNORE]
    [INTO] tbl_name [(col_name,...)]
    SELECT ...
    [ ON DUPLICATE KEY UPDATE col_name=expr, ... ]
There's no mutliple-table insert.
Post Reply