That is such bad advice in so many ways...
1) The proper syntax is INSERT INTO accounts VALUES ('a','b','c','d');
2) Its better to also include the fields you are inserting, so you won't
have to change your script when the databaseschema changes:
INSERT INTO accounts (username,password,email) VALUES
('username','password','email');
3) If the code D.N. uses works (is it some kind of alternative syntax?)
its very insecure because it allows SQL injection. Vince was actually on
the right track..
$query = sprintf("INSERT INTO Accounts (username,password,email) VALUES
('%s','%s','%s')",
mysql_real_escape_string($username),mysql_real_escape_string($password),mysql_real_escape_string($email));
$result = mysql_query($query);
If this still fails, you can see if there was an error using mysql_error..
if (!$result) return mysql_error();
(so you can trace the error in flash, for example)
The reason I'm using mysql_real_escape_string, instead of addslashes is
because there are some special characters that still allows the evil guy
to inject arbitrary SQL in some charsets. I realize it makes it a lot
harder to quickly make quick queries, so there are 2 solutions to this
problem.
1) Use PDO (the new database abstraction layer in PHP5) with prepared
statements
2) Use this helper function:
function mysql_safequery($query) {
$params = func_get_args();
array_shift($params);
foreach($params as $k=>$v) $params[$k] = mysql_real_escape_string($v);
return mysql_query(vsprintf($query,$params));
}
Now, call your queries like this:
mysql_safequery("INSERT INTO Accounts (username,password,email) VALUES
('%s','%s','%s')", $username, $password, $email);
Evert
D.N. wrote:
> ehr... I mean:
>
> $query = "INSERT INTO Accounts SET username='$username',
> password='$password', email='$email'"
>
> forgot the SET, my bad!
>
> Daan
>
> ----- Original Message -----
> *From:* D.N. <mailto:[EMAIL PROTECTED]>
> *To:* Open Source Flash Mailing List <mailto:[email protected]>
> *Sent:* Tuesday, May 01, 2007 5:06 PM
> *Subject:* Re: [osflash] AMFPHP INserting into database, Please HLP
>
> how about just:
>
> $query = "INSERT INTO Accounts username='$username',
> password='$password', email='$email'"
>
> hope this helps,
> Daan
>
> ----- Original Message -----
> *From:* Cordaro, Vince <mailto:[EMAIL PROTECTED]>
> *To:* [email protected] <mailto:[email protected]>
> *Sent:* Tuesday, May 01, 2007 4:27 PM
> *Subject:* [osflash] AMFPHP INserting into database, Please HLP
>
> I am having trouble getting my insert into my mysql database
> to work.
>
> My database has a table called Accounts and I 4 fields,
>
> ID, primary Key, Int
> username, varchar
> password, varchar
> email, varchar
>
> I have tried all kinds of different things. I just can't seem
> to find a tutorial on how to write to the database.
>
> This is my actually PHP insertAccount function:
>
> /**
> mysql_query("INSERT INTO
> Accounts(NULL,'".addslashes($username)."',
> '".addslashes($password)."',
> '".addslashes($email)."')");
> **/
> $sql = sprintf("INSERT INTO
> Accounts(NULL,%s,%s,%s)",$username,$password,$email);
>
> $query = mysql_query($sql);
>
> //return mysql_insert_id();
> return $query;
>
>
>
>
> Vince
>
>
> ------------------------------------------------------------------------
> _______________________________________________
> osflash mailing list
> [email protected]
> http://osflash.org/mailman/listinfo/osflash_osflash.org
>
> ------------------------------------------------------------------------
> _______________________________________________
> osflash mailing list
> [email protected]
> http://osflash.org/mailman/listinfo/osflash_osflash.org
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> osflash mailing list
> [email protected]
> http://osflash.org/mailman/listinfo/osflash_osflash.org
>
_______________________________________________
osflash mailing list
[email protected]
http://osflash.org/mailman/listinfo/osflash_osflash.org
