Posted by Danny Brow on 03/16/05 04:07

On Tue, 2005-03-15 at 18:45 -0500, Jason Barnett wrote:
> Danny Brow wrote:
> > Thanks for looking,
> >
> > I figured it out, after RTFM for db, I found that I needed to do field=? instead of using VALUES ().
> >
> >
> >
> > Example:
> >
> > $db->query('UPDATE items SET item_name=?, item_desc=?, item_price=?, extraprice=? WHERE item_id = 3',
> > array($_POST['title'], $_POST['description'], $_POST['price'], $_POST['extraprice']));
> >
>
> FYI - You should at least escape the $_POST data (more filtering may be
> necessary) before you go inserting it into your database. When using
> raw $_POST data it may be possible for someone to DROP DATABASE.

I was planning on this, but I like to get things working first then move
on to cleaning the input up. I'm still learning the db stuff, so the
less that can cause an issue the better.

Thanks,
Dan.

[Back to original message]