Jump to content

help stupid long `T_STRING error

Rifts

By Rifts
in PHP Coding Help

 Share

Recommended Posts

Rifts Advanced Member

Rifts

Posted
Posted

 

     $sql1 = "INSERT INTO `playerdb` ( `ID` , `User_ID` , `User_PW` , `Rx` , `Ry` , `Rz` , `Tx` , `Ty` , `Level` , `XP_total` , `XP_spent` , `qp` , `class` , `Base_h` , `Base_t` , `Base_ar` , `Base_al` , `Base_l` , `Base_b` , `Bday` , `Creation_time` , `Last_login` , `Admin` , `Items` , `Worn` , `att` , `att_xp` , `agi` , `agi_xp` , `dex` , `dex_xp` , `vit` , `vit_xp` , `mag` , `mag_xp` , `skill_name` , `skill_xp` ) VALUES ('', '$_POST['uid']', '$_POST['upw']', '$Rx', '$Ry', '$Rz', '$Tx', '$Ty', '1', '0', '0', '0', '$_POST['classa']', '$_POST['haira']', '$_POST['bodya']', '$_POST['armsa']', '$_POST['armsa']', '$_POST['legsa']', '$_POST['bootsa']', '$_POST['age_yeara']-$_POST['age_montha']-$_POST['age_daya']', NOW( ) , NOW( ) , '0', '', '', '5', '0', '5', '0', '5', '0', '5', '0', '5', '0', '$skilllvls', '$skillexps')";

 

 

Link to comment
Share on other sites
Pikachu2000 Prolific Member

Pikachu2000

Posted
Posted

Enclose your $_POST array element vars in curly braces (or use proper string concatenation). Also, you really shouldn't be putting user-supplied form data directly into a query string. It should be sanitized with mysql_real_escape_string(), typecasting, etc. first to prevent SQL injection.

 

$sql1 = "INSERT INTO `playerdb` ( `ID` , `User_ID` , `User_PW` , `Rx` , `Ry` , `Rz` , `Tx` , `Ty` , `Level` , `XP_total` , `XP_spent` , `qp` , `class` , `Base_h` , `Base_t` , `Base_ar` , `Base_al` , `Base_l` , `Base_b` , `Bday` , `Creation_time` , `Last_login` , `Admin` , `Items` , `Worn` , `att` , `att_xp` , `agi` , `agi_xp` , `dex` , `dex_xp` , `vit` , `vit_xp` , `mag` , `mag_xp` , `skill_name` , `skill_xp` ) VALUES ('', '{$_POST['uid']}', '{$_POST['upw']}', '$Rx', '$Ry', '$Rz', '$Tx', '$Ty', '1', '0', '0', '0', '{$_POST['classa']}', '{$_POST['haira']}', '{$_POST['bodya']}', '{$_POST['armsa']}', '{$_POST['armsa']}', '{$_POST['legsa']}', '{$_POST['bootsa']}', '{$_POST['age_yeara']}-{$_POST['age_montha']}-{$_POST['age_daya']}', NOW( ) , NOW( ) , '0', '', '', '5', '0', '5', '0', '5', '0', '5', '0', '5', '0', '$skilllvls', '$skillexps')";

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted
the values are from drop down boxes so users can not enter anything

 

LOL, anyone can submit any values they want because they don't need your form to do so.

 

A hacker or just someone who wants to cheat at whatever you are doing could inject sql and INSERT any number of records into your table with any values they want.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.