Using Safe-Mode Form Variables in mySQL Query

**Friend_Al_23** · 07-27-2003, 07:23 AM

I am in a safe mode, I think. Anyway, in order to receive form variables through post method, I have to use $_POST['variable_name'] in order to read that variable. But how do you do it when you want to include it in query? The code is written below:

PHP Code:


			
$result = mysql_query("INSERT INTO mytable ('column1', 'column2') VALUES ($_POST['variable1'], $_POST['variable2']") or die ("Query Error: ".mysql_error());

The code above gives me an mySQL error stating that I should read the manual for the proper format. Isn't the above query in proper format already?

**david** · 07-27-2003, 12:15 PM

How about:

PHP Code:


			
$result = mysql_query("INSERT INTO mytable ('column1', 'column2') VALUES (".$_POST['variable1'].", ".$_POST['variable2']) or die ("Query Error: ".mysql_error());

**neOnbubble** · 07-27-2003, 12:29 PM

I don't think I need mention how unbelievably unsafe that code is regardless of how safe you think you are and how you really should do some preprocessing on the posted variables before throwing them at a sql query but I think the original problem was partly because you didn't close the parentheses after the second $_POST and before the double quotes:

PHP Code:


			
$result = mysql_query("INSERT INTO mytable ('column1', 'column2') VALUES ($_POST['variable1'], $_POST['variable2']     )    ") or die ("Query Error: ".mysql_error());