Posted by Jordan Miller on 08/22/05 16:55

I agree, you must be careful of SQL injection... use
mysql_real_escape_string().

To chop off the last character of text use substr():
$sqlstruct = substr($sqlstruct, 0, -1);

Jordan


http://www.php.net/substr
Example 3. Using a negative length

<?php
$rest = substr("abcdef", 0, -1); // returns "abcde"
$rest = substr("abcdef", 2, -1); // returns "cde"
$rest = substr("abcdef", 4, -4); // returns ""
$rest = substr("abcdef", -3, -1); // returns "de"
?>




On Aug 20, 2005, at 4:55 PM, Greg Donald wrote:

> On 8/20/05, Andras Kende <andras@kende.com> wrote:
>
>> I would like to create the mysql insert query for my html form
>> fields,
>> I have a small problem it will have an extra , at the end of
>> $sqlstruct
>> And extra "" at $sqldata..
>>
>> Anyone can give a hint ?
>>
>> ////////////
>> foreach ($_POST as $variable=>$value){
>> $sqlstruct.=$variable",";
>> $sqldata.=$value."\"','\"";
>> }
>>
>> $query="insert into db ($sqlstruct) VALUES ($sqldata)";
>>
>
> $k = implode( ',', array_keys( $_POST ) );
> $v = implode( ',', array_values( $_POST ) );
>
> $sql = "INSERT INTO db ( $k ) VALUES ( $v )";
>
> I'd never do something like this though, just begs for SQL injection.
>
>
> --
> Greg Donald
> Zend Certified Engineer
> MySQL Core Certification
> http://destiney.com/
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
>
>

[Back to original message]