Forum Moderators: coopster
<?php
if (isset($_POST['submit'])) {
$sql = "INSERT INTO NewsAwards (idnNewsAwardID, txtName, txtTitle, txtOrg, memCitation, memSignificance, dtmDate, txtOther, txtContact, intDept, dtmReceived) VALUES (NULL, $_POST['txtName'], $_POST['txtTitle'], $_POST['txtOrg'], $_POST['memCitation'], $_POST['memSignificance'], $_POST['dtmDate'], $_POST['txtOther'], $_POST['txtContact'], $_POST['intDept'], NULL)";
}?>
Any help appreciated!
Try enclosing your values using apostrophes:
$sql = "INSERT INTO NewsAwards (idnNewsAwardID, txtName, txtTitle, txtOrg, memCitation, memSignificance, dtmDate, txtOther, txtContact, intDept, dtmReceived) VALUES (NULL, '".$_POST['txtName']."', '".$_POST['txtTitle']."', '".$_POST['txtOrg']."', '".$_POST['memCitation']."', '".$_POST['memSignificance']."', '".$_POST['dtmDate']."', '".$_POST['txtOther']."', '".$_POST['txtContact']."', '".$_POST['intDept']."', NULL)";
or use braces:
$sql = "INSERT INTO NewsAwards (idnNewsAwardID, txtName, txtTitle, txtOrg, memCitation, memSignificance, dtmDate, txtOther, txtContact, intDept, dtmReceived) VALUES (NULL, '{$_POST['txtName']}', '{$_POST['txtTitle']}', '{$_POST['txtOrg']'}, '{$_POST['memCitation']}', '{$_POST['memSignificance']'}, '{$_POST['dtmDate']}', '{$_POST['txtOther']}', '{$_POST['txtContact']}', '{$_POST['intDept']'}, NULL)";
dc
If the script you are developing is to be used on the web by anyone visiting your site, you be wise to verify the info submitted PRIOR to inserting it into your database. As it is written above, it allows a malicious individual to compromise your database through SQL injection.
If your code is only going to be used by you as a learning experience, it might be OK. However, in my opinion, it's better to learn to code with safety in mind from the begining than to try to add the security in later.
Just my 2 cents. (By the way, I learned this lesson the hard way)
Regards,
IamStang
