PHP $SQLInsert

I added two more fields to the table picksummary

fields =

onetime
showdown

I was using this insert statement to insert my current fields.  I just need help adding these fields to this insert statement

 $sql = "insert into " . $db_prefix . "picksummary (weekNum, userID, tieBreakerPoints, showPicks) values (" . $_POST['week'] . ", " . $user->userID . ", " . $_POST['tieBreakerPoints'] . ", " . (int)$_POST['showPicks'] . ");";


Thanks
MPDenverAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Julian HansenCommented:
$sql = "INSERT INTO " . $db_prefix . "picksummary (
          weekNum, 
          userID, 
          tieBreakerPoints, 
          showPicks,
          onetime, 
          showdown) 
      VALUES (
          " . $_POST['week'] . ", 
          " . $user->userID . ", 
          " . $_POST['tieBreakerPoints'] . ", 
          " . (int)$_POST['showPicks'] . ",
          " . $_POST['onetime'] . ",  // Assuming here onetime and showdown are in $_POST
          " . $_POST['showdown'] . ");";

Open in new window


Also note that none of your VALUE's are enclosed in quotes - if any of the above values are string values you will need to add quotes to the string like so
        VALUES (
           '" . $stringval . "',

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ray PaseurCommented:
Please see http://xkcd.com/327/ where you will see the potential consequences of using external data in a query string.  The code snippet shows how to escape the data for safe use in a query.  Obviously this is untested, but it's pretty close.  You may not need to quote all of the query inputs, but it doesn't hurt anything.

This example assumes that the script is using MySQL.  If it is, in fact, using MySQL, you have a data base conversion coming at you because PHP is removing the MySQL extension.  This article will show you what you must do to keep your scripts running. It maps the familiar MySQL to the MySQLi and PDO extensions which will continue to have support in the future.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html

// CONSTRUCT THE TABLE NAME
$tbl = $db_prefix . picksummary;

// SANITIZE EXTERNAL DATA FOR USE IN THE QUERY STRING
$wkn = mysql_real_escape_string($_POST['week']);
$tbp = mysql_real_escape_string($_POST['tieBreakerPoints']);
$spx = (int)$_POST['showPicks'];
$one = mysql_real_escape_string($_POST['onetime']);
$sdn = mysql_real_escape_string($_POST['showdown']);

// CREATE THE QUERY
$sql 
= 
"
INSERT INTO $tbl 
( weekNum
, userID
, tieBreakerPoints
, showPicks
, onetime
, showdown
) 
VALUES 
( '$wkn'
, '$user->userID'
, '$tbp'
, '$spx'
, '$one'
, '$sdn'
)
"
;

Open in new window

Best of luck with your project, ~Ray
0
Ray PaseurCommented:
Sometimes the authors of questions here at EE do not understand well enough to distinguish between a good answer and a dangerously incomplete answer.

To anyone in the future who views this question and sees the accepted answer, please stop! Do NOT use external data in a query string.  If you do what is shown in the code sample of the accepted answer, you're setting yourself up for a run-time failure.

Here are the man pages you should read to understand why I advise against following the example that was accepted here.
http://php.net/manual/en/language.variables.external.php
http://php.net/manual/en/security.variables.php

"This function must always (with few exceptions) be used to make data safe before sending a query to MySQL."
http://php.net/manual/en/function.mysql-real-escape-string.php
http://php.net/manual/en/mysqli.real-escape-string.php
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.