I have a PHP function that makes a query to MySQL DB.
function regEvent($event, $l)
{
$sqlz_upd="UPDATE {$event} SET f1a='$_POST[F1A"'.$l.'"]'";
The question is what is the syntax to use variable $l in $_POST[F1A$l]?
-
3Side note: Read up on SQL injectionPekka– Pekka10/05/2011 13:37:10Commented Oct 5, 2011 at 13:37
Add a comment
|
3 Answers
$condition = $_POST["F1A" . $l];
$sqlz_upd="UPDATE {$event} SET f1a='".mysql_real_escape_string($condition)."'";
This is how to use your dynamic post and be safe for Sql Injection.
answered Oct 5, 2011 at 13:39
-
1This wil definitly do the tric!Michiel– Michiel10/05/2011 13:52:17Commented Oct 5, 2011 at 13:52
-
Even better would be to look into PHPs PDO.Treffynnon– Treffynnon10/05/2011 13:56:03Commented Oct 5, 2011 at 13:56
Here you go:
$var = mysql_real_escape_string($_POST["F1A".$l]);
$sqlz_upd="UPDATE {$event} SET f1a='$var' ";
answered Oct 5, 2011 at 13:37
-
3I'm not downvoting, but note that answering with code with injection vulnerabilitles is regarded downvote-worthy by many! (myself included usually.)Pekka– Pekka10/05/2011 13:46:27Commented Oct 5, 2011 at 13:46
if you are using a string as key in an associative array. It should be enclosed in single or double quotes(though PHP won't give any error).
i.e. $_POST['F1A'. $l] or $_POST["F1A$l"]
my suggestion will be...
$sqlz_upd="UPDATE {$event} SET f1a='" . $_POST["F1A$l"] . "'";
