Rifts Posted August 22, 2010 Share Posted August 22, 2010 $sql1 = "INSERT INTO `playerdb` ( `ID` , `User_ID` , `User_PW` , `Rx` , `Ry` , `Rz` , `Tx` , `Ty` , `Level` , `XP_total` , `XP_spent` , `qp` , `class` , `Base_h` , `Base_t` , `Base_ar` , `Base_al` , `Base_l` , `Base_b` , `Bday` , `Creation_time` , `Last_login` , `Admin` , `Items` , `Worn` , `att` , `att_xp` , `agi` , `agi_xp` , `dex` , `dex_xp` , `vit` , `vit_xp` , `mag` , `mag_xp` , `skill_name` , `skill_xp` ) VALUES ('', '$_POST['uid']', '$_POST['upw']', '$Rx', '$Ry', '$Rz', '$Tx', '$Ty', '1', '0', '0', '0', '$_POST['classa']', '$_POST['haira']', '$_POST['bodya']', '$_POST['armsa']', '$_POST['armsa']', '$_POST['legsa']', '$_POST['bootsa']', '$_POST['age_yeara']-$_POST['age_montha']-$_POST['age_daya']', NOW( ) , NOW( ) , '0', '', '', '5', '0', '5', '0', '5', '0', '5', '0', '5', '0', '$skilllvls', '$skillexps')"; Link to comment https://forums.phpfreaks.com/topic/211406-help-stupid-long-t_string-error/ Share on other sites More sharing options...
Pikachu2000 Posted August 22, 2010 Share Posted August 22, 2010 Enclose your $_POST array element vars in curly braces (or use proper string concatenation). Also, you really shouldn't be putting user-supplied form data directly into a query string. It should be sanitized with mysql_real_escape_string(), typecasting, etc. first to prevent SQL injection. $sql1 = "INSERT INTO `playerdb` ( `ID` , `User_ID` , `User_PW` , `Rx` , `Ry` , `Rz` , `Tx` , `Ty` , `Level` , `XP_total` , `XP_spent` , `qp` , `class` , `Base_h` , `Base_t` , `Base_ar` , `Base_al` , `Base_l` , `Base_b` , `Bday` , `Creation_time` , `Last_login` , `Admin` , `Items` , `Worn` , `att` , `att_xp` , `agi` , `agi_xp` , `dex` , `dex_xp` , `vit` , `vit_xp` , `mag` , `mag_xp` , `skill_name` , `skill_xp` ) VALUES ('', '{$_POST['uid']}', '{$_POST['upw']}', '$Rx', '$Ry', '$Rz', '$Tx', '$Ty', '1', '0', '0', '0', '{$_POST['classa']}', '{$_POST['haira']}', '{$_POST['bodya']}', '{$_POST['armsa']}', '{$_POST['armsa']}', '{$_POST['legsa']}', '{$_POST['bootsa']}', '{$_POST['age_yeara']}-{$_POST['age_montha']}-{$_POST['age_daya']}', NOW( ) , NOW( ) , '0', '', '', '5', '0', '5', '0', '5', '0', '5', '0', '5', '0', '$skilllvls', '$skillexps')"; Link to comment https://forums.phpfreaks.com/topic/211406-help-stupid-long-t_string-error/#findComment-1102259 Share on other sites More sharing options...
Rifts Posted August 22, 2010 Author Share Posted August 22, 2010 ahhh that worked perfectly thank you and all the values are from drop down boxes so users can not enter anything =] Link to comment https://forums.phpfreaks.com/topic/211406-help-stupid-long-t_string-error/#findComment-1102267 Share on other sites More sharing options...
PFMaBiSmAd Posted August 22, 2010 Share Posted August 22, 2010 the values are from drop down boxes so users can not enter anything LOL, anyone can submit any values they want because they don't need your form to do so. A hacker or just someone who wants to cheat at whatever you are doing could inject sql and INSERT any number of records into your table with any values they want. Link to comment https://forums.phpfreaks.com/topic/211406-help-stupid-long-t_string-error/#findComment-1102269 Share on other sites More sharing options...
Rifts Posted August 22, 2010 Author Share Posted August 22, 2010 I dont understand how they can do that because there are no text field boxes they are only premade dropdown options like blue black red green Link to comment https://forums.phpfreaks.com/topic/211406-help-stupid-long-t_string-error/#findComment-1102274 Share on other sites More sharing options...
kenrbnsn Posted August 22, 2010 Share Posted August 22, 2010 Hackers will screen scrape your form and will send anything they want in your variables using their own code. They won't use your form once they scrape it. Always validate all user input. Ken Link to comment https://forums.phpfreaks.com/topic/211406-help-stupid-long-t_string-error/#findComment-1102291 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.