implode & insert PHP

Question

ARKaMAN 0 Light Poster

12 Years Ago

Hello, what am I doing wrong?

It just errors out or posts blanks.

'$edate=implode('-', {$_POST['edate']})',

Is the thing not working

<?php
include_once 'resources/init.php';

$sql="INSERT INTO Client (
    firstname,
    lastname,
    email,
    invoice,
    company,
    arenew,
    contact,
    wink,
    wint,
    wind,
    vtype,
    usera,
    yeara,
    sdate,
    edate,
    viprek,
notes)
    VALUES
('$_POST[firstname]',
'$_POST[lastname]',
'$_POST[email]',
'$_POST[invoice]',
'$_POST[company]',
'$_POST[arenew]',
'$_POST[contact]',
'$_POST[wink]',
'$_POST[wint]',
'$_POST[wind]',
'$_POST[vtype]',
'$_POST[usera]',
'$_POST[yeara]',
'$_POST[sdate]',
'$edate=implode('-', {$_POST['edate']})',
'$_POST[viprek]',
'$_POST[notes]')";

if (!mysql_query($sql))
  {
  die('Error: ' . mysql_error());
  }
header("Location: index.php");

mysql_close($con)
?>

php

Edited 12 Years Ago by ARKaMAN because: n/a

3 Contributors
4 Replies
134 Views
6 Hours Discussion Span
Latest Post 12 Years Ago Latest Post by diafol

diafol

12 Years Ago

'$_POST[firstname]'

should be:

'{$_POST['firstname']}'

etc. BUT you should NEVER put unsanitized inputs into this type of sql query

ALSO

'$edate=implode('-', {$_POST['edate']})',

You can't place a function to run within quotes. That doesn't seem to make much sense to me. Why would you try to give a php variable a value inside an sql string?

",...,..," . implode('-', $_POST['edate']) . ",...,...";

would make more sense, but applying this value to a variable ($edate) before creating the sql string and then including the var in the sql would make the sql string more readable:

'$edate','...','...'

BUT again, you should clean the input ($_POST).

Edited 12 Years Ago by diafol because: n/a

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

ARKaMAN 0 Light Poster · Answer 1 · 2012-02-10T01:27:23+00:00

Can you link to a resource explaining what this cleaning is? Also why is it important?

broj1 356 Humble servant Featured Poster · Answer 2 · 2012-02-10T01:28:08+00:00

And also check if each element of the $_POST array is actually set with isset(). Maybe $_POST has not been set.

diafol · Answer 3 · 2012-02-10T01:41:58+00:00

With all due respect ARK, I noticed from a previous thread: http://www.daniweb.com/web-development/php/threads/409105/1748409#post1748409 that you actually used braces with your unsanitized post variables. Why do you regress?

My posts here:
http://www.daniweb.com/web-development/php/threads/409068/1745889#post1745889
and
http://www.daniweb.com/web-development/php/threads/409068/1745981#post1745981

cover this.

I suggest you read your past threads carefully. I'm not in the mood to repeat myself. If you have absolutely no idea of what you're doing, get hold of some tutorials - online or in print. Google for sanitizing or cleaning $_POST and $_GET variables in php. It's as simple as that. Alternatively, you can continue to ignore advice, but please don't ask for the same advice again.

Bye.