My question concerns why one piece of code works and two that does not, and how i can get the code that does not work to work.
The code that works:
mysql_select_db("webuser1", $con);
mysql_query("INSERT INTO users (column 1, column2) VALUES ('value1', 'value2')");
mysql_close($con);
Code no1 that does not ($var1 contains 'value1' etc.):
mysql_select_db("webuser1", $con);
mysql_query("INSERT INTO users (column 1, column2) VALUES ($var1, $var2)");
mysql_close($con);
And code no2 that does not work ($_POST['value1'] contains 'value1' etc.):
mysql_select_db("webuser1", $con);
mysql_query("INSERT INTO users (column 1, column2) VALUES ($_POST['value1'], $_POST['value2'])");
mysql_close($con);
Am i not supposed to be able to insert $var or $_POST in mysql? I hope you do not find this Q stupid but i have been looking around for solutions but i have not understood them. Thank you
Suppose you have a table ready with columns and now you wish to put in values in it. To put values in a table, MySQL provides you with the INSERT statement. It is important to note that the CREATE TABLE statement enables you to create columns while the INSERT statement enables you to insert rows or records into a table.
The MySQL INSERT INTO Statement. The INSERT INTO statement is used to insert new records in a table. INSERT INTO Syntax. It is possible to write the INSERT INTO statement in two ways: 1. Specify both the column names and the values to be inserted:
2) MySQL INSERT – Inserting rows using default value example If you want to insert a default value into a column, you have two ways: Ignore both the column name and value in the INSERT statement. Specify the column name in the INSERT INTO clause and use the DEFAULT keyword in the VALUES clause.
MySQL uses the number 3 to insert into the priority column. The following statement returns the contents of the tasks table after the insert: To insert a literal date value into a column, you use the following format: YYYY represents a four-digit year e.g., 2018. MM represents a two-digit month e.g., 01, 02, and 12.
In SQL, string values need to be quoted:
VALUES ('value1', 'value2')"
When you use variables:
VALUES ($var1, $var2)");
They are not quoted … unless the quotes are in the values themselves.
So if $var1 = 'value1'; $var2 = 'value2'
then (after the variables are interpolated in your string) your SQL looks like this:
VALUES (value1, value2)"
You could resolve your immediate problem by adding quotes:
VALUES ('$var1', '$var2')");
but this doesn't fix your major security vulnerability and lets your data break the query in different ways.
You should avoid creating SQL statements by assembling strings from variables. This way leads to SQL Injection security holes. Use an interface that supports bound arguments. They will handle quoting and escaping for you.
mysql needs single quotes to enclose a string... so you would need something like this:
mysql_query("INSERT INTO users (column 1, column2) VALUES ('".$_POST['value1']."', '".$_POST['value2']."')");
for everything that is not a string you won't need the single quotes (')
as mentioned before you should not forget to escape strings that you want to put into the database. for example use prepared statements. by binding the parameters it is ensured that your passed value is of the type you specified within the prepared statement.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With