-3

I would like to add the word "Megapixels" after $_POST['mp'] so that within the 'mp' text box if I enter 12, it will save 12 Megapixels to the database.

PHP where I store the passed 'mp' value in the variable '$mp': 

$mp = $cameras->real_escape_string($_POST['mp']);

I have tried the following 

$mp = $cameras->real_escape_string($_POST['mp'] . "Megapixels");
$mp = $cameras->real_escape_string($_POST['mp']) . "Megapixels";

Im sure this would be very easy to do, I'm just missing something.

Thanks for your help

CODE UPDATE: 

<?php 
    if (isset($add)) {
        /* GET FROM POST */
        $brand = $cameras->real_escape_string($_POST['brand']);
        $category = $cameras->real_escape_string($_POST['category']);
    $model = $cameras->real_escape_string($_POST['model']);
    $mp = $cameras->real_escape_string($_POST['mp']);
        /* QUERY */
        if (mysqli_query($cameras, "INSERT INTO models(
            /* ROW NAME */
            brand, category, model, mp

            ) VALUES(
            /* VARIABLE NAME */
            '$brand', '$category', '$model', '$mp'

            )")) {
            header("Location: http://admin.specced.co.uk?suc=3");
        } 
    }
?>
Bradley
  • 129
  • 10
  • 1
    What isn't working? What is $cameras? statement? connection? – Sloan Thrasher May 11 '17 at 21:42
  • @SloanThrasher No I am able to add the passed value to the database, I just want to add "Megapixels" onto the end of it – Bradley May 11 '17 at 21:43
  • 1
    Why not just use prepared statements, then you don't have to think about escaping the string. – Qirel May 11 '17 at 21:43
  • I have thought of that, but there must be a way to add this on without prepared statements – Bradley May 11 '17 at 21:45
  • 1
    Again, what isn't working with the code you show? Does the column in the table have the Megapixels or not? What is the column type? Is it a string type? – Sloan Thrasher May 11 '17 at 21:45
  • 2
    Of course there's a way without prepared statements, but then you are open to SQL injection. – Sloan Thrasher May 11 '17 at 21:46
  • No it doesn't have megapixels.... the column name is 'mp' I just want to add on "megapixels" when a value is inputted.... the type is a VARCHAR – Bradley May 11 '17 at 21:46
  • @SloanThrasher this is a backend system so I'm not to worried, if there is a way, I would like to know – Bradley May 11 '17 at 21:47
  • Show your code. The little bit you show should work, but that's based on a lot of presumptions about the code around it. – Sloan Thrasher May 11 '17 at 21:49
  • @SloanThrasher Thankyou, I have added the code chunk that adds the values into the DB – Bradley May 11 '17 at 21:57
  • Based on your code, it should work unless there's a "special character" or something not shown in your question. I would use the 2nd form of the two you show. Is error reporting turned on? – Sloan Thrasher May 11 '17 at 22:07
  • 1
    "This is a backend system so I'm not to worried"... Be worried. This sort of casual dismissal is how you get into serious trouble. **Use prepared statements with placeholder values** like your life depends on it, because it just might. The internet is an extremely hostile place, and just because something's behind a password field doesn't mean it's secure. If you're not using prepared statements, someone can likely find a flaw in your code and bust through your login layer like it's not even there. – tadman May 11 '17 at 22:16
  • Thank you, but prepared statements is not going to allow me to concatenate into the end of the value is it ? – Bradley May 11 '17 at 22:18
  • A) It **will**. Just bind to `$POST['mp'] . " Megapixels"` B) You should probably store things like "megapixels" in another column anyway. It's more convenient to operate on it when it's broken out as a unit-type field. – tadman May 11 '17 at 22:18
  • This is as simple as `$mp = $cameras->real_escape_string($_POST['mp']); $mp = $mp . "Megapixels";` and if that fails, then your HTML form failed. – Funk Forty Niner May 11 '17 at 22:24
  • btw `if (mysqli_query($cameras,` doesn't work that way; you need a db connection here, not a variable from your form's input. That's if `$cameras` isn't your db connnection and we don't know what that is. So this question is too unclear, IMHO. You should use naming conventions pertitent to a db connection, not an object. – Funk Forty Niner May 11 '17 at 22:26
  • *"prepared statements is not going to allow me to concatenate into the end of the value is it ?"* - Depends how it's done, and it can be done. @Bradley - you'll need to @ me here if you want more help from me or if my other comment solved this; I feel it did. – Funk Forty Niner May 11 '17 at 22:33
  • *"so that within the 'mp' text box if I enter 12, it will save 12 Megapixels to the database."* - I don't know what you mean by that. Sorry, but your question is too unclear and I was about to post an answer but alas, decided not too. Stick with RamRaider's answer, I'll have to pass on this one. – Funk Forty Niner May 11 '17 at 22:40

1 Answers1

-1

Before you process the $_POST array try changing the value of $_POST['mp']?

$_POST['mp'].='Megapixels';
$mp = $cameras->real_escape_string( $_POST['mp'] );
Professor Abronsius
  • 33,063
  • 5
  • 32
  • 46
  • Unfortunately this does not work and just causes the page to crash, no error shown. – Bradley May 11 '17 at 21:58
  • Realy? Worked in a little test just now. The test was, in the form target of a particular form `$_POST['MAX_FILE_SIZE'].='bananas';exit( $_POST['MAX_FILE_SIZE'] );` which outputted `786432bananas` where `786432` was the permitted size ... – Professor Abronsius May 11 '17 at 22:02
  • defiantly doesn't work for me, is there any other code I can show incase something else was causing it not to work ? – Bradley May 11 '17 at 22:04
  • `$_POST['mp'].='Megapixels'; exit( print_r( $_POST ) );` – Professor Abronsius May 11 '17 at 22:09
  • I just tried this and get the following : Array ( [brand] => 9 [category] => 52 [model] => ggg [mp] => gggggMegapixels [add] => Add ) 1 – Bradley May 11 '17 at 22:12
  • Maybe you cannot concatenate real_escape_string ? – Bradley May 11 '17 at 22:13
  • 1
    looks like the value is being concatenated given the above data dump – Professor Abronsius May 11 '17 at 22:13
  • Yes it is, possibly you cannot concatenate real_escape_string, I know I have the DB set up correctly as the mp row is a VARCHAR – Bradley May 11 '17 at 22:15
  • 1
    `real_escape_string` just returns a string. It's not magical or special in any way. – tadman May 11 '17 at 22:17
  • @Bradley The array dump shows `gggggMegapixels`. Why would you think it isn't concatenated? The code is got to be failing for some error unrelated to string concatenation. Most likely with `mysqli_query()`. Please have a look at [this post](http://stackoverflow.com/q/16835753/2298301) to write and execute a simple query first. And once that works, consider using _Prepared Statements_ - for example [this answer](http://stackoverflow.com/a/1290995) - as suggested in the comments above. – Dhruv Saxena May 11 '17 at 22:51