Home/ Questions/Q 622619
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T19:00:16+00:00

The code here is still incomplete because I’m still going to ask you guys

  • 0

The code here is still incomplete because I’m still going to ask you guys on what the proper format/syntax of using mysql escape string. Im still a beginner in php and I want to learn how to avoid sql injections. Is the code below correct?

$con = mysql_connect("localhost","root","mypwd");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("Hospital", $con);




      $sqlque="INSERT INTO t2 (HOSPNUM, ROOMNUM, ADATE, ADTIME, LASTNAME, FIRSTNAME, MIDNAME, CSTAT, AGE, BDAY, ADDRESS, TELNUM, SEX, STAT, STAT2, STAT3, STAT4, STAT5, STAT6, STAT7, STAT8, NURSE)
      VALUES ('$_POST[hnum]', '$_POST[rnum]', '$_POST[adate]', '$_POST[adtime]', '$_POST[lname]',  '$_POST[fname]', '$_POST[mname]', '$_POST[cs]', '$_POST[age]', '$_POST[bday]', '$_POST[ad]', '$_POST[telnum]', '$_POST[sex]', '$_POST[stats1]', '$_POST[stats2]', '$_POST[stats3]', '$_POST[stats4]', '$_POST[stats5]', '$_POST[stats6]', '$_POST[stats7]', '$_POST[stats8]', '$_POST[nurse]')"; 

         mysql_real_escape_string($_POST[hnum]),
            mysql_real_escape_string($_POST[rnum]);
  mysql_real_escape_string($_POST[adate]);
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You’ll need to escape the values before you put them into the query:

    $hnum = mysql_real_escape_string($_POST['hnum']);
$query = "INSERT ... VALUES('$hnum')";

    If you have a lot of values, you can loop over them:

    $values = $_POST;

foreach ($values as &$value) {
    $value = mysql_real_escape_string($value);
}

$query = "INSERT ... VALUES('$values[hnum]')";
    • 0