Home/ Questions/Q 8159131
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-06T17:48:58+00:00

I am starting a very basic site that uses a single line form to

  • 0

I am starting a very basic site that uses a single line form to post into a database and then later echo that $comment variable on the page. I don’t know PDO, but am willing to learn if I truly need it for something this simple.

else
mysql_query("INSERT INTO posts (postid, post_content)
VALUES ('', '$comment <br />')");
}
mysql_close($con);

Above this code I have basic strpos commands to block out some of the things I don’t want posted.

Am I going to experience any issues with injections down the road from how I am doing this?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    No, it’s not safe, you need to use mysql_real_escape_string to escape $comment.

    But, PDO is nothing difficult and make your code stronger.

    // create the connection. something like mysql_connect/mysql_error
try {
    $dbh = new PDO($dsn, $user, $password);
} catch (PDOException $e) {
    echo 'Connection failed: ' . $e->getMessage();
}

// create the prepared statement.
$stmt = $dbh->prepare("INSERT INTO posts (postid, post_content) VALUES (?, ?)");
// execute it with parameters.
$stmt->execute(array('', $comment.'<br>'));
    • 0