How to POST a newly defined variable into SQL - beginners PHP

Question

The sql column avatar_link isn't updating: A form submits data and directs to the script (partial) below. The SQL columns: name, comment, email and story_id all insert fine. The image saves to the server with no problem (I didn't include that part of the script to keep things brief). $templink is a newly created variable that should represent the URL of a image uploaded. I'm redefining the variable as $avatar_link and using POST.

    $tempLink = "http://www.website.com/avatars/" . $_FILES["file"]["name"];
    $page_path = $_POST['page_path'];
    $name = $_POST['name'];
    $comment = $_POST['comment'];
    $email = $_POST['email'];
    $storyid = $_POST['storyid'];
    $avatar_link = $_POST['$tempLink'];

    $con=mysqli_connect
    ("","","","");
    // Check connection
    if (mysqli_connect_errno())
    {
    echo "Failed to connect to MySQL: " . mysqli_connect_error();
    }
    $sql = 'INSERT INTO comments (name, comment, email, storyid, avatar_link, entry_date)';
    $sql .= 'VALUES("'.$name.'", "'.$comment.'", "'.$email.'", "'.$storyid.'", "'.$avatar_link.'", now())';
    if (!mysqli_query($con,$sql))
    {
    die('Error: ' . mysqli_error($con));
    }

I marked the title of this 'beginners PHP' because this question seems very basic (and I can't still figure it out)...if that is not appropriate let me know and I will remove.

I don't know PHP, but surely `$avatar_link = $_POST['$tempLink'];` should just be `$avatar_link = $tempLink;`? It's not a POST parameter, it's just a variable defined in your PHP script. — Anthony Grist, Mar 13 '14 at 16:36
You are vulnerable to [SQL injection attacks](http://bobby-tables.com). Be more worried about that than not being able to do insert your variable. — Marc B, Mar 13 '14 at 16:38

score 1 · Accepted Answer · edited May 23 '17 at 11:57

1

$_POST variables come from a submitted form. If you are simply defining a variable and passing it into a statement for insertion into a database, you could eliminate a few steps here, and just do this:

$avatar_link = "http://www.website.com/avatars/" . $_FILES["file"]["name"];

Also, pay attention to @Marc B's comment here. You can learn about parameterizing mysqli statement all over the web, or here on Stack Overflow. What's really best, and what I'd recommend, is learning PDO.

edited May 23 '17 at 11:57

Community

1
1

answered Mar 13 '14 at 16:38

larsAnders

3,813
1
15
19

that did it. Also I'm posting a new question about security risks and their priority when designing a website. thank you all. great feedback here as always. – rhill45 Mar 13 '14 at 16:51

How to POST a newly defined variable into SQL - beginners PHP

1 Answers1