-1

i am not new to php but facing a problem of very basic level but dont know how to overcome it. i have a table for comments in which fields are name ,email, comment, date and time. now what i want to do is to insert system date and time in their respective fields but it only enters time not date. the types of field date is date and of time is time. here is my query 

 $insert = 'insert into tbl_comment 
      (name, email, desc, date, time)
      VALUES 
 ("'.$_POST['name'].'","'.$_POST['email'].'","'.$_POST['comment'].'"
 ,CURDATE(),"CURTIME()",CURTIME())';   
      mysql_query($insert);
 }

plz help me out

Kashif Waheed
  • 597
  • 4
  • 9
  • 18

1 Answers1

0

Your code is vulnerable to SQL injection. Fix this immediately!

//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
    $str = @trim($str);
    if(get_magic_quotes_gpc()) {
        $str = stripslashes($str);
    }
    return mysql_real_escape_string($str);
}

$myName = clean($_POST['name']);
$myEmail = clean($_POST['email']);
$myDesc = clean($_POST['comment']);
$insert = "insert into tbl_comment 
           (name, email, desc, `date`, `time`)
           VALUES 
           ('$myName','$myEmail','$myDesc',CURDATE(),CURTIME())";   
mysql_query($insert);

If you have data & time as field name, use backticks as they are reserved keywords.

Also read, how to insert data in PHP/ MySQL

Community
  • 1
  • 1
Fahim Parkar
  • 30,974
  • 45
  • 160
  • 276