views:

85

answers:

6

How can I add mysql_real_escape_string() to this:::

$result = mysql_send("INSERT customers SET user='$username', pword='$pass1', 
                      firstname='$firstname', lastname='$lastname', email='$email', 
                      active='No', activecode='$activecode', dateofbirth='$dateofbirth', 
                      gender='$gender', title='$title', occupation='$occupation', 
                      address='$address', city='$city', country='$country', zip='$zip',
                      mobile='$mobile', telephone='$telephone', fax='$fax', 
                      website='$website'
                     ");
+2  A: 
$result = mysql_send("  INSERT  customers
                        SET     user='".mysql_real_escape_string($username)."', 
                                pword='".mysql_real_escape_string($pass1)."', 
                                firstname='".mysql_real_escape_string($firstname)."', 
                                lastname='".mysql_real_escape_string($lastname)."', 
                                email='".mysql_real_escape_string($email)."', 
                                active='No', 
                                activecode='".mysql_real_escape_string($activecode)."', 
                                dateofbirth='".mysql_real_escape_string($dateofbirth)."', 
                                gender='".mysql_real_escape_string($gender)."', 
                                title='".mysql_real_escape_string($title)."', 
                                occupation='".mysql_real_escape_string($occupation)."', 
                                address='".mysql_real_escape_string($address)."', 
                                city='".mysql_real_escape_string($city)."', 
                                country='".mysql_real_escape_string($country)."', 
                                zip='".mysql_real_escape_string($zip)."', 
                                mobile='".mysql_real_escape_string($mobile)."', 
                                telephone='".mysql_real_escape_string($telephone)."', 
                                fax='".mysql_real_escape_string($fax)."', 
                                website='".mysql_real_escape_string($website)."'
                    ");
Kau-Boy
lol. that's really ridiculous. "how to add" meant literally. it was just a syntax question.
Col. Shrapnel
A: 
$result = mysql_send("INSERT customers SET user='$username', pword='$pass1', firstname='".mysql_real_escape_string($firstname)."', lastname='".mysql_real_escape_string($lastname)."', email='".mysql_real_escape_string($email)."', active='No', activecode='".mysql_real_escape_string($activecode)."', dateofbirth='".mysql_real_escape_string($dateofbirth)."', gender='".mysql_real_escape_string($gender)."', title='".mysql_real_escape_string($title)."', occupation='".mysql_real_escape_string($occupation)."', address='".mysql_real_escape_string($address)."', city='".mysql_real_escape_string($city)."', country='".mysql_real_escape_string($country)."', zip='".mysql_real_escape_string($zip)."', mobile='".mysql_real_escape_string($mobile)."', telephone='".mysql_real_escape_string($telephone)."', fax='".mysql_real_escape_string($fax)."', website='".mysql_real_escape_string($website)."'");
Maulik Vora
+2  A: 

I make it this way (assuming HTML form's field names exactly match a database field name):

$fields = explode(" ","user pword firstname lastname email ative activecode dateofbirth gender title occupation address city country zip mobile telephone fax website");

$_POST['active'] = "Mo"; // I know it's kinda dirty but it works. 
$sql = "INSERT INTO customers SET ".makeDdbSet($fields);

function makeDdbSet($fields) {
  $q='';
  foreach ($fields as $v) $q.="`$v` = '".mysql_real_escape_string($_POST[$v])."', ";
  return trim($q,", ");
}

looks neat to me.

Col. Shrapnel
A really nice and handy function! But I would have added all lines in the foreach to an ARRAY $q and than used the implode() function and not trimming the last comma.
Kau-Boy
@Kau that's perfectionism that spoils you. there is not a single reason to use array here. Same amount of code and other differences are negligible
Col. Shrapnel
+1  A: 

dont, just call a stored proc :P

f00
+2  A: 

Escaping is quite old-school. Instead, use prepared statements to separate queries and data.

This saves you lots of headaches.

$sql = "INSERT customers SET user=:user, pword = :pword .....";
$sth = $dbh->prepare($sql);
$sth->execute(array('user => $username, 'pword' => $password));

Depending on where you get the data from, you might also directly have it in an array.

For example, in case you get a lot of data from a form, with the variable names pword, user and so on you can directly use that array

$sth->execute($_POST);
Alex
it's twice more code than current approach. Any way to make it shorter?
Col. Shrapnel
You could create a function which would generate SQL and prepared data array for you.(eg: function insert_into($table, $data) )
knagode
+2  A: 

Maybe you can take some time and check out Doctrine ORM.

Saving to database would then look like:

$customer = new Customer();
$customer->fromArray($data); // $data = array("firstname"=>"John", ...)
$customer->save();

Everything will be escaped, your program will also be more readable ...

knagode
from where do you get that "John"?
Col. Shrapnel
The simpliest example would probably be: $customer->fromArray($_POST); --> every field from POST which matches column in "customer table" will be saved into database.
knagode
well with actual data it will be way more code than now. what's the benefit?
Col. Shrapnel
Less code doesn't mean better program. Doctrine simply makes your program more readable, it fasten your development and give you much more power than SQL. You can check it out here: http://www.doctrine-project.org (ORM section).
knagode
Why should I check out somewhere? Why can't you show that more readable code right here? Is it too hard to do it using your ORM?
Col. Shrapnel
Example: you have news and news_comment table.Get news by id: $news = Doctrine::getTable("News")->find(1);Get news comments: foreach($news->Comments as $comment){ echo $comment->content; }// insert new comment for current news: $comment = new NewsComment(); $comment->content="blah"; $news->Comments[] = $comment; $news->save(); I hope you see the some difference :)
knagode
You can also write escaped queries like $news = Doctrine_Query::create()->from("News")->where("hidden", false)->execute();
knagode