[SOLVED] INSERT problem

[R1der]

Ok i have made a classifieds page but when you click "Post" it inserts the 'id' 'username' but when it comes to adding the 'text' part it INSERTS '0' and i cant understand why :S Can anyone help with this?

 

<?

session_start();

include("gameconfig.php");

$title = "Classifieds";

if(!$email || !$password){
error("field");
exit;
}

if($playerinfo[password] != $password){
error("password");
}else{
include("top.php");
$cost=1000*$playerinfo['level'];
echo "<center>Tribal Classifieds<br><br></center>";
echo "<center>It will cost you $cost gold to post a advertisement<br><br></center>";
echo "<center><form method=post action=classifieds.php?action=post>Advertise: <input name=post size=12> <INPUT TYPE=SUBMIT VALUE=Post></FORM></center>";
$select = mysql_query("select * from classifieds order by id DESC LIMIT 20");
while($lis = mysql_fetch_array($select))
if($playerinfo['status'] !="Member"){
echo "<center>[<a href=classifieds.php?step=delete&id=$lis[id]>D</a>] ";

echo "$lis[username]: $lis[text]</center><br>";
}else{
echo "$lis[username]: $lis[text]</center><br>";
}
if($action == "post")
{
$post = abs($post);
$post = str_replace("-","",$post);
$cost=1000*$playerinfo['level'];
if($playerinfo['gold'] > $cost){
mysql_query("UPDATE userdb set gold=gold-$cost WHERE id='$playerinfo[id]'");
mysql_query("INSERT INTO classifieds (id, username, text) VALUES ('', '$playerinfo[username]', '$post')") or die(mysql_error());
echo "<center>You sucessfully added your advertisement.</center>";
}else{
echo "<cener>You do not have enough gold to proceed</center>";
}
}
  if ($step == delete)
            {
            echo "News deleted. <a href=classifieds.php>Back</a>";
            $remove = mysql_query("delete from classifieds where id='$id'");
            }


include("bottom.php");
}
?>

 

Thanks.

 

Oh and also can you tell me if my code (test box) is secure enough from sql injections?

 

Thanks for your time

[only one]

mysql_query("UPDATE userdb set gold=$playerinfo['gold']-$cost WHERE id='$playerinfo[id]'");

[R1der]

Erm the update query works fine how it is..

 

Why would that have anything to do with the INSERT query?

[only one]

(`id`, `username`, `text`)

 

try that??, i dont see anything wrong

[R1der]

Nope that did'nt work either

 

I know i looked at it for a good 2 hours yestaday and couldnt spot anything i even tried rewriting it and still for the same thing.

[only one]

is it showing up an error?

[R1der]

No it posts but instead of it showing what thay typed in it puts a '0'

 

the database type is varchar(255)

[only one]

if its only a number you should use int, then it will insert 0

[R1der]

But i dont want it to insert '0' lol

 

It's a advertisement thing so thay type something and it shows..

 

i.e

 

thay type..

 

'I am selling crystals'

 

and it should insert "I am selling crystals" but its not its inserting '0'

 

Get what i mean?

[only one]

yea i understand

 

i dont think you want to use the abs function

$post = abs($post);

 

thats only goin to define weather its varchar or integer

 

[R1der]

Oh i got told that would protect the textbox from SQL injections

[R1der]

Ok it worked once i removed that..

 

So how can i protect the text box now from SQL injections?

[R1der]

How about something like this.. would this work?

 

$post['post']=str_replace(array("<", ">","\'"), array("<", ">", "'"), $post['post']);

 

Would that work to protect it?

 

[only one]

yea

$post = str_replace(array("<", ">","\'"), array("<", ">", "'"), $post['post']);

[R1der]

kk thanks for all your help..

[mmarif4u]

The best way to protect from sql injection is:

 

$post=mysql_real_escape_string($_POST['post']);

 

It will protect more than ur code u mention.

 

hope this will help.