I am having trouble getting this to work I want to make sure that if the user adds HTML tags or PHP tags in the text fields in a form that they do not get added into the database.
The code that I have now adds the strip_tags along with the HTML and PHP tags into the database.
Here is my code:
<?php
//Check for Valid Email
function valid_email($email) {
return filter_var($email, FILTER_VALIDATE_EMAIL);
}
//Add people Information to Database
function addToDB ($sql, $con) {
require 'db.php';
$sql= ("INSERT INTO people (name,email) VALUES(
'strip_tags($_POST[name])',
'($_POST[email])')");
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
mysql_close($con);
}
//Add vehicle Information to Database
function addToDB1 ($sql, $con) {
require 'db.php';
$sql="INSERT INTO vehicle (year, make, model, color)
VALUES
('$_POST[year]','$_POST[make]', '$_POST[model]', '$_POST[color]')";
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
mysql_close($con);
}
?>
It is not possible to call functions within a string as you do for displaying variables on double quoted strings!
So your query needs to be something like that :
by the way, you should really consider to escape your input data coming from post/get variables! Something like:
The best alternative, however, would be to use prepared statements to prevent sql injection!
Eidt : if you are working with variables within strings use {$_POST[email]} and not ($_POST[email]) to mantain your varnames consistent!