richart
-
Posts
3 -
Joined
-
Last visited
richart's Achievements
Newbie (1/5)
0
Reputation
-
Thanks! I will read up on this.
-
Thanks for the response. I did some reading on prepared statements and came up with the following code. Is there anything else you would add to prevent sql injection? // database connection $conn = new PDO("mysql:host=$dbhost;dbname=$dbname",$dbuser,$dbpass); // new data $fname = $easyForm->field['fname']['value']; $lname = $easyForm->field['lname']['value']; $title = $easyForm->field['title']['value']; $agency = $easyForm->field['agency']['value']; $telephone = $easyForm->field['telephone']['value']; $interest = $easyForm->field['interest']['value']; $email = $easyForm->field['email']['value']; // query $sql = "INSERT INTO registration (registration_date, fname, lname, title, agency, telephone, interest, email) VALUES (NOW(),:fname,:lname,:title,:agency,:telephone,:interest,:email)"; $q = $conn->prepare($sql); $q->execute(array( ':fname'=>$fname, ':lname'=>$lname, ':title'=>$title, ':agency'=>$agency, ':telephone'=>$telephone, ':interest'=>$interest, ':email'=>$email ));
-
Good morning, I am trying to implement a simple sanitization of data before inserting in my database and am having a little trouble due to the fact that I am using a third party script that is accessing posted variables in a way that is unfamiliar to me... here's the data. The problem area is red. The form simply hangs up when submitted. I have used this method in the past, but not with an object operator. // insert into database $servername = "localhost"; $username = "psychtoo_richart"; $password = "mypassword"; $dbname = "mydatabase"; $fname = mysql_real_escape_string($easyForm->field['fname']['value']); $lname = $easyForm->field['lname']['value']; $title = $easyForm->field['title']['value']; $agency = $easyForm->field['agency']['value']; $telephone = $easyForm->field['telephone']['value']; $interest = $easyForm->field['interest']['value']; $email = $easyForm->field['email']['value']; // Create connection $conn = new mysqli($servername, $username, $password, $dbname); // Check connection if ($conn->connect_error) { die("Connection failed: " . $conn->connect_error); } // sql statement $sql= "INSERT INTO registration (registration_date, fname, lname, title, agency, phone, interest, email) VALUES (NOW(), '$fname', '$lname', '$title', '$agency', '$telephone', '$interest2', '$email' )"; $conn->query($sql); $conn->close();