So, I have the following PHP command to post to my db. $sql =

Question

0

Asked: June 5, 20262026-06-05T12:27:38+00:00 2026-06-05T12:27:38+00:00

So, I have the following PHP command to post to my db. $sql =

0

So, I have the following PHP command to post to my db.

$sql = "INSERT INTO `db`.`tab;e` (`id`, `type`, `subtype`, `image1`, `image2`, `image3`, `title`, `body`, `price`, `googlecode`, `date`) VALUES (NULL, '$type', '$subType', '$image1', '$image2', '$image3', '$title', `$body`, '$price', '$googleCode', '$date');";

The data is being grabbed with a post. for instance, the type is

$type = $_POST[type];

etc..

However, when posting stuff, my code sometimes works and sometimes doesnt.

I think its because im using niceEdit to grab the body text and when it posts, Im worried that the ‘ and the ” interfere with my post…

Also, the $googlecode is a bunch of divs with quote marks and others.

Could this be why my code works off and on?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-05T12:27:39+00:00

Editorial Team

2026-06-05T12:27:39+00:00Added an answer on June 5, 2026 at 12:27 pm

I guess it sometimes failes because you don’t escape the values but directly add them to the query. This way some values might break the SQL statement and the statement is vulnerable to SQL injections.

To fix this you have to escape the values or even better, use prepared statements. It is also strongly recommended to add some error handling so you can easier get a meaning full error message (thx Pekka).

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

So, I have the following PHP command to post to my db. $sql =

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply