[SOLVED] check

[paulman888888]

please can you check my code for errors.

<?php
mysql_connect("popcorn.com", "something", "its tony") or die(mysql_error());
echo "Connected to MySQL<br />";
mysql_select_db("pauhut5_db2") or die('Theres an error. Please try again.');
echo "Connected to Database";

// Insert a row of information into the table "example"
mysql_query("INSERT INTO example 
(name, score) VALUES('$_GET[name]', '$_GET[score]' ) ") 
or die('Theres an error. Please try again.');  

echo "Score Uploaded!";
?>

[ILYAS415]

Its all right but theres unnessecary stuff in the code (the echoes but im not sure if you hose to include those yourself).

Also your query is very vunerable to sql injection because you aren't parsing the $_GET stuff.

No errors tho i think...

 

If you don not know how to secure against sql injection or even what it is we will be glad to help

[paulman888888]

How do i make it safer then?

[thebadbad]

You've got two errors. $_GET[name] should be $_GET['name'] (the key is a string, not an integer). Also applies to 'score' of course. To insert them properly, and prevent SQL injections like ILYAS is pointing out, you should escape them with mysql_real_escape_string():

 

<?php
mysql_connect("popcorn.com", "something", "its tony") or die(mysql_error());
echo "Connected to MySQL<br />";
mysql_select_db("pauhut5_db2") or die('Theres an error. Please try again.');
echo "Connected to Database";

// Insert a row of information into the table "example"
mysql_query("INSERT INTO example 
(name, score) VALUES('" . mysql_real_escape_string($_GET['name']) . "', '" . mysql_real_escape_string($_GET['score']) . "')") 
or die('Theres an error. Please try again.');  

echo "Score Uploaded!";
?>

[paulman888888]

THankyou very much.