PJ wrote:
Hell, I feel about as dumb as can be.  I just goth things straight and
it seems to work just fine...
Here is where my problem was...

        $sql1 = "INSERT INTO books
                    ( title, sub_title, descr, comment, bk_cover,
publish_date, ISBN, language )
                VALUES
                    ('$titleIN', '$sub_titleIN', '$descrIN',
                    '$commentIN', '$bk_coverIN', '$publish_dateIN',
'$ISBNIN', '$languageIN')";
        $result1 = mysql_query($sql1, $db);
$sql2 = "INSERT INTO authors
                    (first_name, last_name) VALUES ('$first_nameIN',
'$last_nameIN')";
        $result2 = mysql_query($sql2, $db);
$sql3 = "INSERT INTO publishers
                    (publisher) VALUES ('$publisherIN')";
        $result3 = mysql_query($sql3, $db);

In effect,  once I understood what the $result statements meant, all
became clear.
It looks like I can now add more $sql4... etc as long as I have the
correct input strings and all should be hunky-dory, whatever that means.

"hunky dory" means "all good".

$result1 will send $sql1 to the mysql db and get the result of what that did (in this case an insert). You can use this to see if it worked or not.

if $result1 returns false, it didn't work.

$result2 sends $sql2 to the db and returns what happened there.

Of course, I am quite new to this and do and will appreciate any
comments and/or suggestions.
My next questions will be about how to "automate" inserts of foreign key
tables... :-(

More questions below...

The query generated could be:
INSERT INTO authors(firstname,lastname) VALUES ('blah','blah'); DELETE
FROM authors;.....

Obviously this is a massive security risk and is generally referred to
as "SQL Injection Attacks".
Sad that there are such people around who have nothing better to do than
do "attacks"...

People also do it for a living ;)

You should look into using the function mysql_real_escape_string() to
escape all your inputs.
I'm trying - I just looked at the PHP manual on
mysql_real_escape_string() and it just confuses me more and more. Not
clear, yet, just what the escape string thing is :-(

Instead of doing this (for an imaginary table):

$sql = "insert into table1(field1, field2) values ('$value1', '$value2')";

do

$sql = "insert into table1(field1, field2) values ('" . mysql_real_escape_string($value1) . "', '" . mysql_real_escape_string($value2) . "')";

Now $value1 and $value2 can only be used as data, they can't be used against you.

If you don't do that, try adding a last name of O'Reilly - your code will break because of the ' in the name.

When you say "escape all your inputs" - just what do you mean? Does that
mean I need some special routines that have to be repeated over and over
every time there is an input... but what do you mean by an "input"? And,
from looking at all the comments in the manual, it's not clear just
where to stop...

"input" means anything a user gives you. Whether it's a first name, last name, a comment in a blog, a website url - anything you get from a user must be escaped.

--
Postgresql & php tutorials
http://www.designmagick.com/


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to