PHP post variables generated in file

Question

I am uploading a comment and subject that is being given to a php file from an HTML form. But I would like to store the name of a file link; the name of the file is $ran2 and is being generated in the php file. Comment:

    <tr>
        <td><input type="submit" name="submit" value="upload"></td>
    </tr>

    </table>
 <?php
 $ran2 = rand () ;
 $insert = "INSERT INTO images (image, comment, subject)
        VALUES ('".$_POST[$ran2]"', '".$_POST['text']."','".$_POST['subject']."')";
        $add_member = mysql_query($insert);
  ?>

With $_POST[$ran2] I am storing nopthing in the database and would like to store the string $ran2.

for the love of god, stop using mysql_* series of functions and switch to mysqli or PDO already ! — Sanketh, Apr 11 '14 at 16:21
Save file with a dash of SQL injection and a sprinkle of misery to DB. Your present code is open to [**SQL injection**](http://stackoverflow.com/q/60174/). Use [**prepared statements**](http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php), or [**PDO**](http://php.net/pdo) — Funk Forty Niner, Apr 11 '14 at 16:22

score 2 · Accepted Answer · answered Apr 11 '14 at 16:27

The problem with this is a missing . and the fact that $ran2 is not a member of the $_POST array so you can't call it with $_POST[$ran2]:

$insert = "INSERT INTO images (image, comment, subject)
    VALUES ('".$_POST[$ran2]."', '".$_POST['text']."','".$_POST['subject']."')";
                 missing----^

So it will work if you simply change the variable to $ran2 and get the missing period in there:

$insert = "INSERT INTO images (image, comment, subject)
    VALUES ('".$ran2."', '".mysql_real_escape_string($_POST['text'])."','".mysql_real_escape_string($_POST['subject'])."')";

And to second what they are saying in the comments, you really need to switch to using prepared statements in mysqli or PDO.

PHP post variables generated in file

1 Answers1