0

Tough question to ask, but basically I have a web form with a "title", "message" and "image" boxes, they all work in uploading it to one table on mysql.

What I want to do is have another field in my form for WHERE i want it to post to, I have 2 pages and 2 tables at the moment. table Blog and table Blog_2 They both work if I change my insert.php to INSERT INTO Blog or Blog_2

But i want to be able to use the field and a $_POST[Blog] function which is linked to a field in a form, it's going to have a dropdown box to select either Blog or Blog_2

Below is my code. I've given it a go, but I cant seem to make it work. I created a variable called $insert as you can see.

Maybe its just a syntax problem, but im not that PHP savvy.

<?php
$con = mysql_connect("xxx","xxx","xxx");
mysql_select_db("databse") or die(mysql_error());

$insert = '$_POST[Blog]';

mysql_query("INSERT INTO $insert
(Date, Title, Message, Image) 
VALUES(now(), '$_POST[Title]' , '$_POST[Message]' , '$_POST[Image]' ) ")
or die(mysql_error()); 

echo "1 record added";


mysql_close($con);
?>
BigOrinj
  • 243
  • 2
  • 6
  • 14
  • 1
    If this is new code, consider moving to [mysqli](http://www.php.net/manual/en/book.mysqli.php) or [PDO](http://www.php.net/manual/en/ref.pdo-mysql.php) instead of the original [mysql](http://www.php.net/manual/en/intro.mysql.php) interface. – Maxime Morin Nov 04 '12 at 12:15
  • It is a syntax issue: `$insert = '$_POST[Blog]';`. If you output your SQL string (which requires that you create it first), you would have known. In any case you did not post the mysql error message here which is not constructive. – hakre Nov 04 '12 at 12:27
  • [**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained and the [deprecation process](http://j.mp/Rj2iVR) has begun on it. See the [**red box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://j.mp/PoWehJ). – tereško Nov 04 '12 at 12:30
  • possible duplicate of [apostrophes are breaking my mysql query in PHP](http://stackoverflow.com/questions/1961308/apostrophes-are-breaking-my-mysql-query-in-php) – Jocelyn Nov 05 '12 at 01:04

2 Answers2

1

Try as below

$insert = mysql_real_escape_string($_POST['Blog']);

mysql_query("INSERT INTO ".$insert."
(Date, Title, Message, Image) 
VALUES(now(), '$_POST[Title]' , '$_POST[Message]' , '$_POST[Image]' ) ")
or die(mysql_error());

Recommendations:

1.Learn to prevent from MySQL Injections: Good Link

2.Mysql extension is not recommended for writing new code. Instead, either the mysqli or PDO_MySQL extension should be used. More reading: PHP Manual

Community
  • 1
  • 1
GBD
  • 15,847
  • 2
  • 46
  • 50
0
$insert = $_POST['Blog'];
function clean($text) {
 $text = str_replace("'", "\'", $text);
 return $text;
}
mysql_query("INSERT INTO ".$insert."
(`Date`, `Title`, `Message`, `Image`) 
VALUES(now(), '".clean($_POST['Title'])."' , '".clean($_POST['Message]'])."' , '".clean($_POST['Image]'])."' ) ")
or die(mysql_error());
Eugen
  • 1,356
  • 12
  • 15
  • 1
    You could use [mysql_real_escape_string](http://php.net/manual/en/function.mysql-real-escape-string.php) instead of clean. – Maxime Morin Nov 04 '12 at 12:08
  • i now :) but this function replace only "'" – Eugen Nov 04 '12 at 12:11
  • That's why you should consider `mysql_real_escape_string`. There are other characters to escape. What if his post's message contains new lines? (`\n` or `\n\r`) – Maxime Morin Nov 04 '12 at 12:22
  • That is true, the Message field outputs as one big block of text, if i press enter and type more, it doesn't display the space between paragraphs. – BigOrinj Nov 04 '12 at 12:27
  • and? when you have \n, etc. in the string n.p., but when you have ' (f.e. don't, etc.) in you string, you get error. but when you have only short text field with 200 characters, mysql_real_escape_string is better :) – Eugen Nov 04 '12 at 12:30