0

I wrote a query to put records in a table and at the same time create another. The table is created but the data is not entered. Where am I wrong? This is my code:

$sql = "INSERT INTO progetti

                    (data, ora, nome_progetto, anagrafica_id, preventivo, budget, eurora, scadenza, scontoaggiuntivo, ref1, tel_ref1, mail_ref1, contenuto, stato_id)

                    VALUES

                    ('".$_POST["data"]."',
                    '".$_POST["ora"]."',
                    '".$_POST["nome_progetto"]."',
                    '".$_POST["anagrafica_id"]."',
                    '".$_POST["preventivo"]."',
                    '".$_POST["budget"]."',
                    '".$_POST["eurora"]."',
                    '".$_POST["scadenza"]."',
                    '".$_POST["scontoaggiuntivo"]."',
                    '".$_POST["ref1"]."',
                    '".$_POST["tel_ref1"]."',
                    '".$_POST["mail_ref1"]."',
                    '".$_POST["contenuto"]."',
                    '".$_POST["stato_id"]."'
                    )";

                    "CREATE TABLE $_POST[nome_progetto] (
                      id INT(11) AUTO_INCREMENT PRIMARY KEY,
                      data date,
                      intervento varchar(30),
                      descrizione varchar(70),
                      ore int(2)
                    )";
Masivuye Cokile
  • 4,754
  • 3
  • 19
  • 34
M.Max
  • 11
  • 4
  • 1
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Sep 20 '17 at 15:06
  • Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Sep 20 '17 at 15:07

0 Answers0