Need a little help with php variables in MySQL_QUERY

This is so elementary it is embarassing to ask but 47 years of assembly programming background doesn't help in these fancy high level interpreters.

My php program is receiving the data from SL OK as
$name = $_POST['Name'];
$location = $_POST['Where'];
and I can echo them back to SL so I know the received php variables are OK.

I'm trying to put the data into a MySQL data base.
I can make it work with string constants OK:-

MYSQL_QUERY( "INSERT INTO $table VALUES('Mickey Mouse','Disneyland')";

and that works fine. but I don't seem to be able to store variables. Not knowing any better I tried:-

MYSQL_QUERY( "INSERT INTO $table VALUES($name,'Disneyland')";

but it doesn't work. It seems a logical substitution of a string variable for a string constant, what am I doing wrong?

Oooh PHP! Got to love that
Try:

-----EDIT START---
Replace the FIELDS (not the brackets) with the fields divided by a comma in the same order as the values.
http://www.tizag.com/mysqlTutorial/mysqlinsert.php (Tuto about insert)
-----EDIT END------

Anyway you only said what data it should insert. And not what fields. I think this should work. (It does for me anyway) and the " (close) . (dot) " (open) is just for the sake of telling that a string ends but a variable is given. (It's not totaly necessary but it's by PHP standards)

Hope for you this works!
cheers!

try...

Roy is right it should resemble something like:

INSERT INTO $table (name, location) VALUES ('$name', '$location')

Also, I strongly recommend that you add slashes to your variables, ie:
$name = addslashes($_POST['name']);

Otherwise it's possible for people to alter the format of your SQL query and perform additional, unwanted operations on them such as a DELETE or UPDATE statement.

Thanks all, got it working and I knew it had to be something very simple.
I'm still a little confused as to which variables require quotes around them and which don't since the table name variable is working fine without the quotes.

As I understand it, you don't have to name the fields if you are supplying a matching set of data to the whole row, at least it is working that way and in my application it is very easy to use a standard Get and Put routine that always gets and puts the whole row.

It may depend on your SQL implementation, but then I typically have ID columns which are auto-generated by MySQL so I can't supply the full row really (I suppose I could, but I prefer to be specific).

As for quotes, fields don't require quotes as they are alpha-numeric (plus a few symbols, but not commas), so there's no risk of them breaking the syntax. Indeed most SQL versions throw errors if you DO add quotes around field names.
As for values, quotes MUST be included around anything that is textual, so a varchar, char, or text for example. Number such as integers and so-on don't require quotes, but it's usually good to include them anyway, but ONLY if the field-type they are going into is a number type. I'm not sure, but I expect if you are making queries without supplying the field names, then you may have to include quotes for all of them as it can't be sure of the types?

And yes, it's very confusing, SQL is actually a horrible standard, just the thought of having to have every query you send parsed before it can be run makes me shudder, but I'm a performance junkie sometimes.

This may make things simple at first. But if you need to add more fields to your table later on then you will regret saving a lit effort now. All of your PHP code will be broken by the table change and will need to be fixed. It is a good idea to always name the fields that you want on all gets and puts.

You should always assume malicious content in every $_GET or $_POST variable. It may seem very paranoid, but you should also assume that your database may be hacked and that data returned from a QUERY also contains malicious content.

Hmm about that addslashes or whatever on the input. I'm not sure if that's needed for the mysql_query() function. I've read somewhere that it only supports one query. So that doing "; DROP TABLE *; somedata" wont work as it wil stop executing after the ;

But even if this is true... Keep checking user input! Don't consider them as your best friend. They don't know what to do and they try to get in where they shouldn't be.

(Hmm paranoid? Maybe )

Roy

Not with extended SQL queries, you can put several queries into a single mysql_query() call, and mysql_query() can be used to do; SELECT, UPDATE, DELETE, INSERT and can be given permission to perform ALTER, CREATE and DROP, though these require a suitable user account to connect with.

For example, if your query was:
INSERT INTO table (field) VALUES ('$value')

Then I could mess with value to create:
INSERT INTO table (field) VALUES ('0');
DELETE FROM table WHERE (field != '')

And suddenly your entire database table is empty.

As dangerous as they are, they can be very useful to large INSERT queries in a single go, as many SQL implementations have ways of optimising such bulk queries

Have a look at mysql_escape_string to prevent SQL injection into your query.
http://www.php.net/manual/en/function.mysql-escape-string.php

Or, if you can use mysqli functions, look at variable binding to prevent this.

Lyn