How do I add text to a record when inserting from php?

Question

I am using this statement to add information to a database

$sql = "INSERT INTO test1 (manufacturer, name, url) VALUES ('{$_POST['manufacturer']}','{$_POST['name']}', '{$_POST['url']}')";
var_dump($sql);

I would like to add http://webaddress.com/ before the $_POST['url']. So if I enter in file name example it will go into the record as http://webaddress.com/example

[Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Apr 12 '16 at 20:23
This is simply a matter of concatenating the url prefix before the variable. — Eduardo Galván, Apr 12 '16 at 20:23

score 1 · Accepted Answer · edited May 23 '17 at 11:50

1

You just need to concatenate your string and your variable

"INSERT INTO test1 (manufacturer, name, url) VALUES ('".$_POST['manufacturer']."','".$_POST['name']."', 'http://webaddress.com/".$_POST['url']."')";

As side note I would like you to focus your attention on sql injection since your code is vulnerable and you are at risk

edited May 23 '17 at 11:50

Community

1
1

answered Apr 12 '16 at 20:32

Fabio

23,183
12
55
64

The new statement works. I have the sql injection prevention added a little bit higher at the top. I have a question about what you did though. I did what you did with the webaddress but it didn't work. It looks like you added a . before each of the other $_POST that I did not. What you did works but I wanted to keep the data from the other 2 forms the same so I didn't touch those. If one thing is concatenated in a statement does that mean everything needs the .? – Tyler Jensen Apr 13 '16 at 15:30
But I only wanted to concatenate the url one not the others. What you did works, I am just trying to understand why. – Tyler Jensen Apr 13 '16 at 19:15
You can either concatenate only the url then – Fabio Apr 14 '16 at 05:57
I tried that but it didn't work, that is when I came here. – Tyler Jensen Apr 14 '16 at 16:01

How do I add text to a record when inserting from php?

1 Answers1