Hell, I feel about as dumb as can be.  I just goth things straight and
it seems to work just fine...
Here is where my problem was...

        $sql1 = "INSERT INTO books
                    ( title, sub_title, descr, comment, bk_cover,
publish_date, ISBN, language )
                    ('$titleIN', '$sub_titleIN', '$descrIN',
                    '$commentIN', '$bk_coverIN', '$publish_dateIN',
'$ISBNIN', '$languageIN')";
        $result1 = mysql_query($sql1, $db);
        $sql2 = "INSERT INTO authors
                    (first_name, last_name) VALUES ('$first_nameIN',
        $result2 = mysql_query($sql2, $db);
        $sql3 = "INSERT INTO publishers
                    (publisher) VALUES ('$publisherIN')";
        $result3 = mysql_query($sql3, $db);

In effect,  once I understood what the $result statements meant, all
became clear.
It looks like I can now add more $sql4... etc as long as I have the
correct input strings and all should be hunky-dory, whatever that means.

Of course, I am quite new to this and do and will appreciate any
comments and/or suggestions.
My next questions will be about how to "automate" inserts of foreign key
tables... :-(

More questions below...

Colin Guthrie wrote:
> Also, you are possibly running risks above if you do not properly
> escape your variables:
> e.g. You have:
> $sql1 = "INSERT INTO authors (first_name, last_name) VALUES
> ('$first_nameIN', '$last_nameIN')";
> Your examples do not show where the values came from but if it's
> directly from a form post or similar, if I put the value:
>  'blah','blah'); DELETE FROM authors;
Sorry, don't understand... If you put the value where and how?
> The query generated could be:
> INSERT INTO authors(firstname,lastname) VALUES ('blah','blah'); DELETE
> FROM authors;.....
> Obviously this is a massive security risk and is generally referred to
> as "SQL Injection Attacks".
Sad that there are such people around who have nothing better to do than
do "attacks"...
> You should look into using the function mysql_real_escape_string() to
> escape all your inputs.
I'm trying - I just looked at the PHP manual on
mysql_real_escape_string() and it just confuses me more and more. Not
clear, yet, just what the escape string thing is :-(
When you say "escape all your inputs" - just what do you mean? Does that
mean I need some special routines that have to be repeated over and over
every time there is an input... but what do you mean by an "input"? And,
from looking at all the comments in the manual, it's not clear just
where to stop...
> Col


Phil Jourdan --- p...@ptahhotep.com

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to