Retrieving data to insert and also inserting inputted data

Question

What is the problem

$id = $_POST['name']; //prevents types of SQL injection
$newCandidatePosition = $_POST['position']; //prevents types of SQL injection
$sql = mysql_query("INSERT INTO tbCandidates(`student_id`,`candidate_name`, `candidate_gender`,`candidate_grade`,`candidate_section`,`candidate_position('$newCandidatePosition'))"." SELECT `id`,`student_name`, `student_gender`,`student_grade`,`candidate_section`"." FROM tbstudent WHERE id='$id'");

What is this: `candidate_position('$newCandidatePosition')`? — Shadow, Sep 16 '17 at 06:20
i also want to insert in database the input of the user but its not inserting :( — Kosaki Onodera, Sep 16 '17 at 06:30
`$id = $_POST['name']` doesn't prevent any type of SQL injection. You should convert to mysqli or PDO and use prepared statements. See https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 — Barmar, Sep 16 '17 at 06:44

score 0 · Accepted Answer · answered Sep 16 '17 at 06:47

If you want to include the value of $newCandidatePosition into the data that you're inserting, you include it as a literal in the SELECT list, not in the list of columns you're inserting into.

$id = mysql_real_escape_string($_POST['name']); //prevents types of SQL injection
$newCandidatePosition = mysql_real_escape_string($_POST['position']); //prevents types of SQL injection
$sql = mysql_query("INSERT INTO tbCandidates(`student_id`,`candidate_name`, `candidate_gender`,`candidate_grade`,`candidate_section`,`candidate_position`)
    SELECT `id`,`student_name`, `student_gender`,`student_grade`,`candidate_section`, '$newCandidatePosition'
    FROM tbstudent WHERE id='$id'");

Retrieving data to insert and also inserting inputted data

1 Answers1