[RESOLVED] Convert Form POST data to variables?

DaveScheuerman

Hello,

I have created a form with about 15 fields in it that posts data to a mysql database. Is it necessary, or advisable to convert all of the POST data to variables to use in my INSERT statement?

I suppose I should trim, add slashes, etc most of the fields before inserting. I guess my question is, do I just do it one by one for all 15 fields:

$item = mysql_escape_string($_POST['item']);

or is there a better way with a loop?

While I'm on the subject, is it better to use mysql_escape_string or addslashes? I'm not really clear on the differences.

Thanks in advance!

bpat1434

It really doesn't matter 😉 You can leave them in the post array, you can put them in your own new array, you could create variables for each of them. Heck, you could really create an XML, then read it in via a simplexml object 😛

The way to secure your queries is to use [man]mysql_real_escape_string/man to properly escape characters, and if you really want to be cautious, you could use [man]sprintf[/man] to mke the inputs even more defined as to what type of data it is.

For example:

$query = sprintf("INSERT INTO `tablename` (`column`, `column`, `column`, `column`) VALUES ('%d', '%s', '%d', '%s')",
    mysql_real_escape_string($_POST['something']),
    mysql_real_escape_string($_POST['something']),
    mysql_real_escape_string($_POST['something']),
    mysql_real_escape_string($_POST['something']));

DaveScheuerman

Ok, great! Thanks!