DLR Posted January 31, 2007 Share Posted January 31, 2007 Hi all, I'm trying to improve the security of my site by using placeholders in my script. This code works fine $add_nom = "INSERT INTO nominees (cat_id,nominee,first_name,last_name,email)" . "VALUES('$cat_id','$nom_name','$f_name','$last_name','$email')" ; when I substitute with placeholders, like this $add_nom = "(INSERT INTO nominees (cat_id,nominee,first_name,last_name,email)" . "VALUES(?,?,?,?,?), array($cat_id,$nom_name,$f_name,$last_name,$email))" ; I get this error message You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'INSERT INTO nominees (cat_id,nominee,first_name,last_name,email)VALUES(?,?,?,?,?' at line 1 Please assist me in finding what I am doing wrong! Thanks, David Quote Link to comment Share on other sites More sharing options...
simcoweb Posted January 31, 2007 Share Posted January 31, 2007 ? 's are a protected character. Instead of using it as a placeholder try using just single quotes for each. (' ', ' ', ' ', ' ', ' ') Quote Link to comment Share on other sites More sharing options...
DLR Posted January 31, 2007 Author Share Posted January 31, 2007 Regretably, this does not work either. I got the code from a manual where they used ? as the placeholders in their sample code. (reference : Learning PHP by Sklar). It's a pretty good reference on all other matters - just a little difficult to follow at times when you are learning. Thanks, David Quote Link to comment Share on other sites More sharing options...
Jessica Posted January 31, 2007 Share Posted January 31, 2007 Why don't you just do: $add_nom = "INSERT INTO nominees (cat_id,nominee,first_name,last_name,email) VALUES('$cat_id','$nom_name','$f_name','$last_name','$email')" ; There is no need for that array. I don't see how what you did increased security at all. Just escape the variables using the right function for your database - for mysql it's mysql_real_escape_string Quote Link to comment Share on other sites More sharing options...
simcoweb Posted January 31, 2007 Share Posted January 31, 2007 Yeah, I think the error message is petering out before it displays the part about the array. No need for that part of the code as well as the extra comma. Quote Link to comment Share on other sites More sharing options...
DLR Posted January 31, 2007 Author Share Posted January 31, 2007 Hi. THanks for input. I tried this $_POST['nom_name']= array_map('mysql_real_escape_string', $_POST['nom_name']); I had the problem of "Argument #2 should be an array in c://file" Could you tell me why that would be? Thanks Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.