First, using a $_POST value directly into a MySQL query is EXTREMELY
unsafe. Always filter data from any source to make sure it's what you
expect. SQL injection is one of the easiest ways to cause real damage
to a website.

Check out this fuction for making the string safe:
Also, try and strip out any characters that don't belong in the string
anyway, just as added security.

Good luck learning PHP.

--Another person who happens to be named Ben

I've also put a few edits in the code.
On Jan 2, 2008 9:57 PM, Ben Stones <[EMAIL PROTECTED]> wrote:
> Hello, my name is Ben Stones. I am quite a beginner to PHP, and as a new
> years resolution I am going to learn PHP (finally!)
> Cut to the chase I have created a basic looping script that would display
> anything submitted in a form, on seperate lines; here is the PHP code:
> $con = mysql_connect("localhost","ben_test","------removed-----") or
> die("con");
> $db = mysql_select_db("ben_test") or die("db");
> mysql_query("CREATE TABLE `comments` (messages varchar(255))");
> $comments = $_POST['comment'];
> $sql1 = mysql_query("INSERT INTO `comments` (`messages`) VALUES
> ($comments)");
> $mysql_query_one = mysql_query("SELECT * FROM `comments`");
> while($rows=mysql_fetch_array($mysql_query_one)) {
> echo $rows['messages'] . "[br /]";
> }
> Everything went swell for the first half, and after I truncated the test
> messages (or everything in the column, if you like), I tried doing one more
> test run and upon clicking 'Submit', nothing would display except the
> messages I added via phpMyAdmin.
> Hope someone could help me.
> PS: The password has been edited out of the preceding code as well as the
> HTML code purposely for the mailing list.

PHP Database Mailing List (
To unsubscribe, visit:

Reply via email to