"so many sites so little time" <kkddrpg@gmail.com> wrote:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This ain't cool. Please use your real name here.

> what i am trying to say here is
>
> // Define the query.
> $query = "INSERT INTO home (1) VALUE ('{$_POST['header']}')";
> "INSERT
> INTO home (2) VALUE '{$_POST['body']}'";
>
> the name of the table is home
> and that table whas two fields 1 and 2 and field 1 is a varchar 50 for
> the header and field to is text for the body of my site and 'header'
> and 'body' are the values im useing b/c those are the names of the
> fields in the form

1. this is invalid PHP: you assign the first string literal to $query
but the second is just standing there. Don't you get a PHP syntax
error here? I didn't look into PHP for a long time, but the curly
braces around $_POST[foo] look suspicious. It's much better style
to create the query string with sprintf().

2. this is invalid SQL: INSERT INTO table [(columns)] VALUES (values)
~~~
3. this is a strange schema. Did you call the columns of table `home`
`1` and `2`? Really? Bad thing!

4. if you have two columns `1` and `2`, you should insert values into
both columns at once. Otherwise you will get two totally unrelated
records in table `home`.

5. this opens the door for SQL injection. You must NEVER use GET/POST
variables without escaping them correctly.


XL
--
Axel Schwenke, Senior Software Developer, MySQL AB

Online User Manual: http://dev.mysql.com/doc/refman/5.0/en/
MySQL User Forums: http://forums.mysql.com/