|
|
Posted by Jerry Stuckle on 07/01/07 19:27
Brendan Gillatt wrote:
> On Sun, 01 Jul 2007 08:26:10 -0400, Todd Michels <todd@nalamail.com>
> wrote:
>
>> Hi all,
>>
>> I am trying to send data from a form and insert it into a MSSQL DB.
>>
>> When I submit the data I get: Warning: mssql_query()
>> [function.mssql-query]: message: The name "Todd" is not permitted in
>> this context. Valid expressions are constants, constant expressions, and
>> (in some contexts) variables. Column names are not permitted. (severity
>> 15) in "Myfile"
>>
>> If I don't use the POST data and write the query explicitly, it works.
>>
>> Any help is appreciated.
>>
>> Thanks,
>> Todd
>>
>> WinXP SP2
>> MSSQL Express 2005
>> IIS 5.1
>> PHP 5.2.1
>>
>> It's a basic form:
>>
>> <body>
>> <form id="form1" name="form1" method="post" action="flextest.php">
>> <label>User Name
>> <input name="username" type="text" id="username" />
>> </label>
>> <label>Email Address
>> <input name="emailaddress" type="text" id="emailaddress" />
>> </label>
>> <p>
>> <input type="submit" name="Submit" value="Submit" />
>> </p>
>> </form>
>> </body>
>>
>> And here is the MSSQL insert:
>>
>> if( $_POST["emailaddress"] AND $_POST["username"])
>> {
>> //add the user
>> $Query = sprintf('INSERT INTO users (username, emailaddress)
>> VALUES (%s, %s)', $_POST["username"], $_POST["emailaddress"]);
>>
>> $Result = mssql_query($Query);
>> }
>
> You could try doing $_POST[username] (remove the quotes) and seeing if
> that makes a difference.
>
That is incorrect PHP and will give a notice (if notices are turned on).
> NB: Your code could have a SQL injection exploit if you Magic Quotes
> is turned off on your PHP.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|