Proper syntax for adding php post data into mySQL string

Question

I have a single field post of the form:

<form action="post.php" method="post">
<input type="text" name="foo" />

I am trying to insert foo into a small mySql table named 'datatable' in the database 'mydatabase' in post.php.

This string works for me to add a data row in my table:

mysql_query('INSERT INTO 'mydatabase'.'datatable' ('data') VALUES (\'testabc\');');

So I know my connection string is working. However, I cannot figure out how to insert the actual post data ($_POST['foo']) into my table. I have tried strings such as:

mysql_query('INSERT INTO 'mydatabase'.'datatable' ('data') VALUES (\'' + $_POST['foo'] + '\');');

But cannot figure out the correct syntax to make this work. Can any of you brilliant minds help hint me in the right direction?

Many thanks...

Answer 1

Your problem is that you're using + to concatenate the parts of the query string. In php string concatenation is done using the dot .. What you could do is

mysql_query('INSERT INTO `mydatabase`.`datatable` (`data`) VALUES (\'' . mysql_real_escape_string($_POST['foo']) . '\');');

but like was mentioned in the comments below you really should be using PDO.

Answer 2

PHP uses . for concatenation, not +.

However, you really shouldn't use mysql_*. I highly suggest PDO. It's simple to use and will protect you from injection (to which you are currently vulnerable). You may also need to consider that magic quotes is enabled so stripslashes on the post data may be appropriate. trim. usually is as well.