Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

$_POST and insert 1

Status
Not open for further replies.

MinnisotaFreezing

Programmer
Jun 21, 2001
120
KR
A few questions.

$first = $_POST['first_name'];
if ($_POST['submit'] == "Enter")
{
$query = "insert into names
(first, last) values
('$first', '$_POST['last_name']')";

mysql_query($query) or
die (mysql_error());
?>

first is inserted into my table, last_name is not. Is there a way I can write my insert string so I don't have to pass the global variable into a local one, like I did for first_name?

More importantly, if I simply take the posted global variables and insert them into my table, am I missing the whole point of turning global variables off? This is not sensitive data, but I would like to learn things right. Should I pass all POST data into local variables and run some validity check on them before inserting?

Thanks for the help, sorry if this is a bit muddled.

CJB
 
the regularly assinged vars work when used in a sql statement like above, but to use $_POST you need to have it outside the quotes like this:

$query = "insert into names
(first, last) values
('$first', '".$_POST['last_name']."')";


Bastien

cat, the other other white meat
 
You should ALWAYS validate user input, not only to protect yourself, but to filter out user stupidity %-)

I don't believe there's any need to pass the _POST info to another var tho, unless for some reason it's more handy in a var than in an array. You can perfom the same validation in either case.
 
Thanks for more good advice.

I know it is a pain, but I'll try and validate input in this project.
 
Don't let validation scare you off. At it's simplest, it merely means making sure that the info that the user inputs is what you expect it to be. For instance, if you are expecting an integer input, and the user submits a character string, will it crash you, or have you protected yourself by only accepting integers?

You can graduate from there into increasingly complex forms of validation such as checking for correct characters and even IP validation. Only you can determine the level of protection you do or don't need! [thumbsup2]
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top