DLR Posted January 31, 2007 Share Posted January 31, 2007 Hi all, I'm trying to improve the security of my site by using placeholders in my script. This code works fine $add_nom = "INSERT INTO nominees (cat_id,nominee,first_name,last_name,email)" . "VALUES('$cat_id','$nom_name','$f_name','$last_name','$email')" ; when I substitute with placeholders, like this $add_nom = "(INSERT INTO nominees (cat_id,nominee,first_name,last_name,email)" . "VALUES(?,?,?,?,?), array($cat_id,$nom_name,$f_name,$last_name,$email))" ; I get this error message You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'INSERT INTO nominees (cat_id,nominee,first_name,last_name,email)VALUES(?,?,?,?,?' at line 1 Please assist me in finding what I am doing wrong! Thanks, David Link to comment https://forums.phpfreaks.com/topic/36517-using-placeholders-in-insert-statement-is-causing-errors-help-anyone/ Share on other sites More sharing options...
simcoweb Posted January 31, 2007 Share Posted January 31, 2007 ? 's are a protected character. Instead of using it as a placeholder try using just single quotes for each. (' ', ' ', ' ', ' ', ' ') Link to comment https://forums.phpfreaks.com/topic/36517-using-placeholders-in-insert-statement-is-causing-errors-help-anyone/#findComment-173903 Share on other sites More sharing options...
DLR Posted January 31, 2007 Author Share Posted January 31, 2007 Regretably, this does not work either. I got the code from a manual where they used ? as the placeholders in their sample code. (reference : Learning PHP by Sklar). It's a pretty good reference on all other matters - just a little difficult to follow at times when you are learning. Thanks, David Link to comment https://forums.phpfreaks.com/topic/36517-using-placeholders-in-insert-statement-is-causing-errors-help-anyone/#findComment-173906 Share on other sites More sharing options...
Jessica Posted January 31, 2007 Share Posted January 31, 2007 Why don't you just do: $add_nom = "INSERT INTO nominees (cat_id,nominee,first_name,last_name,email) VALUES('$cat_id','$nom_name','$f_name','$last_name','$email')" ; There is no need for that array. I don't see how what you did increased security at all. Just escape the variables using the right function for your database - for mysql it's mysql_real_escape_string Link to comment https://forums.phpfreaks.com/topic/36517-using-placeholders-in-insert-statement-is-causing-errors-help-anyone/#findComment-173917 Share on other sites More sharing options...
simcoweb Posted January 31, 2007 Share Posted January 31, 2007 Yeah, I think the error message is petering out before it displays the part about the array. No need for that part of the code as well as the extra comma. Link to comment https://forums.phpfreaks.com/topic/36517-using-placeholders-in-insert-statement-is-causing-errors-help-anyone/#findComment-173920 Share on other sites More sharing options...
DLR Posted January 31, 2007 Author Share Posted January 31, 2007 Hi. THanks for input. I tried this $_POST['nom_name']= array_map('mysql_real_escape_string', $_POST['nom_name']); I had the problem of "Argument #2 should be an array in c://file" Could you tell me why that would be? Thanks Link to comment https://forums.phpfreaks.com/topic/36517-using-placeholders-in-insert-statement-is-causing-errors-help-anyone/#findComment-173932 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.