Good?!

rIkLuNd

Is this a good way to add user input to a database?!

if($QUERY_STRING == "add")
{
mysql_connect($host,$user,$pass);
mysql_select_db($db);
mysql_query("
INSERT INTO table(username,password)
VALUES('$username','$password')
");
$id = mysql_insert_id();
echo "You are member number $id";
}
else
{
print writeForm();
}

The writeform function is in another file...

simon622

Functionally, that code will work fine, however if you are making a user registration script, you might want to tighten up on security, maybe using some encryption on your password, maybe
MD5()?

It is an unecessary risk to hold you passwords in plain text.

You might also want to check the return from the my_query to make sure everything inserted correctly, or use the "or die" directive and output mysql errors after that.

I personally use this code;

$query = "--SOME QUERY--"
$try=mysql_db_query(DBNAME, $query);
if (!$try){
echo "mysql_error()";
exit;
}
else{
//Everything ok carry on
}

Hope this helps a little.