Problem with Inserting a MySQL Value

[Glenugie]

59- $insert = "INSERT INTO Users (character_image)
60- VALUES ('".$_POST['class']'.jpg'."')";

 

This code is designed to insert data about a users character image into my database. It inserts the variable part of it alright, so you can probably ignore that bit, it doesn't like the .jpg part of it however.

 

In tests I've done I've tried different variations of using " and '

I got closest without any, as it returned the right value, only missing the .

I'm not sure if there's a specific way to make it read the last part that I am not aware of, if there is, could you please tell me?

 

Thanks in advance

 

~Glenugie~

 

MySQL:

Server Version 5.0.45

Client Version 5.0.27

 

[corbin]

$insert = "INSERT INTO Users (character_image)

VALUES ('{$_POST['class']}.jpg')";

 

 

You were sticking them together incorrectly.  It could be done other ways, but that's the easiest way to do it.  By the way, you shouldn't trust user input (the GET, POST, COOKIE, REQUEST so on arrays).  You should always escape data like that, or atleast check it for sanity before putting it in a database.  I guess you could be doing that else where though.

[Glenugie]

Thanks, I haven't started escaping stuff yet, I'm going to putting it all in soon though, I don't need the extra security quite yet though

[fenway]

It's not "extra", it's "mandatory".

[Glenugie]

I've looked into it in a little more detail, but I'm not sure I entirely understand the method for escaping data, I have to do it for every query, inserting data and extracting data, right?

 

For inserting I have to escape all the values going in, and for extracting I have to escape all values coming out?  ???

 

Thanks for telling me anyway.

 

~Glenugie~

[fenway]

Only for tainted data going in.