Link to home
Start Free TrialLog in
Avatar of MPDenver
MPDenver

asked on

PHP $SQLInsert

I added two more fields to the table picksummary

fields =

onetime
showdown

I was using this insert statement to insert my current fields.  I just need help adding these fields to this insert statement

 $sql = "insert into " . $db_prefix . "picksummary (weekNum, userID, tieBreakerPoints, showPicks) values (" . $_POST['week'] . ", " . $user->userID . ", " . $_POST['tieBreakerPoints'] . ", " . (int)$_POST['showPicks'] . ");";


Thanks
ASKER CERTIFIED SOLUTION
Avatar of Julian Hansen
Julian Hansen
Flag of South Africa image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Please see http://xkcd.com/327/ where you will see the potential consequences of using external data in a query string.  The code snippet shows how to escape the data for safe use in a query.  Obviously this is untested, but it's pretty close.  You may not need to quote all of the query inputs, but it doesn't hurt anything.

This example assumes that the script is using MySQL.  If it is, in fact, using MySQL, you have a data base conversion coming at you because PHP is removing the MySQL extension.  This article will show you what you must do to keep your scripts running. It maps the familiar MySQL to the MySQLi and PDO extensions which will continue to have support in the future.
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html

// CONSTRUCT THE TABLE NAME
$tbl = $db_prefix . picksummary;

// SANITIZE EXTERNAL DATA FOR USE IN THE QUERY STRING
$wkn = mysql_real_escape_string($_POST['week']);
$tbp = mysql_real_escape_string($_POST['tieBreakerPoints']);
$spx = (int)$_POST['showPicks'];
$one = mysql_real_escape_string($_POST['onetime']);
$sdn = mysql_real_escape_string($_POST['showdown']);

// CREATE THE QUERY
$sql 
= 
"
INSERT INTO $tbl 
( weekNum
, userID
, tieBreakerPoints
, showPicks
, onetime
, showdown
) 
VALUES 
( '$wkn'
, '$user->userID'
, '$tbp'
, '$spx'
, '$one'
, '$sdn'
)
"
;

Open in new window

Best of luck with your project, ~Ray
Sometimes the authors of questions here at EE do not understand well enough to distinguish between a good answer and a dangerously incomplete answer.

To anyone in the future who views this question and sees the accepted answer, please stop! Do NOT use external data in a query string.  If you do what is shown in the code sample of the accepted answer, you're setting yourself up for a run-time failure.

Here are the man pages you should read to understand why I advise against following the example that was accepted here.
http://php.net/manual/en/language.variables.external.php
http://php.net/manual/en/security.variables.php

"This function must always (with few exceptions) be used to make data safe before sending a query to MySQL."
http://php.net/manual/en/function.mysql-real-escape-string.php
http://php.net/manual/en/mysqli.real-escape-string.php