[Resolved] using $_GET['x'] in insert statement

jacksonpt

what's the sytanx for using a $_GET variable in an INSERT statement?

I want to do this:

     $sql = "INSERT INTO students  (
                           FirstName,
                           LastName
                          )
                   Values (
                           '$_GET['FirstName']',
                           '$_GET['LastName']'
                          )";

But I get an error because of the string and all the '

bike5

$sql = "INSERT INTO students  ( 
                           FirstName, 
                           LastName 
                          ) 
                   Values ( 
                           '$_GET[FirstName]', 
                           '$_GET[LastName] ' 
                          )";

Could always do

mysql_query("INSERT INTO students VALUES ('$_GET[FirstName]','$_GET[LastName]')")

You just take out the single quote inside there.

jacksonpt

Cool... thanks.

laserlight

$sql = "INSERT INTO `students`
	(`FirstName`, `LastName`)
	VALUES (
		'{$_GET['FirstName']}',
		'{$_GET['LastName']}'
	)";

EDIT: bike5 isnt quite correct.
By taking out the single quotes, PHP will then assume that the array indices are constants, and search for these constants.
When it is determined that the indices are not constants, PHP will then treat them as strings, as originally intended.

You dont get any error notices though, since the whole thing is in a string anyway, unlike using $_GET[FirstName] outside a string.

bike5

Didn't know that, but is it going to always work the way I did it anyway in that situation? Because I did that with all my scripts where I had to get the value inside the " " anyway and I have never had a problem. Now that I know though I'll start using the correct way when I do those.

Although the correct way uses up 4 more characters each time you do it {''} increasing the file size unnoticeably but nevertheless, it probably has faster execution time right?

Sgarissta

I hope you aren't writing variables straight from the user into the database.

This is a classic example of how SQL injections happen. You should really validate and strip illegal characters from the input before putting it into the DB. Or at the very least running addslashes against it to keep a simple single quote from breaking things.