On Sat, 2010-07-03 at 09:01 +0200, Alexandre Simon wrote:
> Hello,
>
> multiple things:
> - escape your values:
> 1. if some of the user input contains '\'' for instance, your query is
> not well formed
> 2. if some evil user want to do anything with your DB, he can do it
> => See mysql_escape_string or PDO prepared statements
> - Use "else" part of the if statement everywhere you can to see where
> the error is. Maybe you can not connect to DB for instance...
>
> Hope you will fix your code..
>
> Le vendredi 02 juillet 2010 à 22:05 +0000, Carlos Sura a écrit :
> >
> > Hello, this function does not work for me... And I really don't know what
> > am I doing wrong... Any help??
> >
> > This function is in a class, and I call it in a form, to create a new user..
> >
> >
> >
> > $objEmploye=new Employe;
> > if (
> > $objEmploye->insert(array($name,$lastname,$salary,$dui,$afp,$isss,$nit)) ==
> > true){
> > echo 'Saved';
> > }else{
> > echo 'Error, try again';
> > }
> > }else{
> >
> >
> > function insert($field){
> > if($this->con->connect()==true){
> > return mysql_query("INSERT INTO employes (name,lastname,
> > salary, id, afp, isss, nit) VALUES ('".$field[0]."',
> > '".$field[1]."','".$field[2]."','".$field[3]."','".$field[4]."','".$field[5]."','".$field[6]."')");
> > }
> > }
> >
> >
> >
> >
> > Thanks.
> >
> > _________________________________________________________________
> > http://clk.atdmt.com/UKM/go/197222280/direct/01/
> > Do you have a story that started on Hotmail? Tell us now
>
>
>
As the variables aren't using the special global arrays $_POST or $_GET,
there's no indication that the values aren't being sanitised when they
go into the query.
Thanks,
Ash
http://www.ashleysheridan.co.uk
