Is this bad practice for inserting data into db?

Question

I have this function that inserts data from a checkbox into my sql database and it works just find, but Im pretty new to this so I would like to know if there is a better/safer (from sql injections) way to do this. I know I should be using PDO with prepared statements, but that is something I am tackling later.

Here is the form that produces the html checkboxes:

<form action="" method="post">
<?php
    if(empty($clients) === true){   
    echo '<p>You do not have any clients yet.</p>';
    }
    else
    {
    foreach($clients as $client){
    echo'
        <input type="checkbox"  name="client_data[]" value="'.$_SESSION['user_id'].'|'.$class_id.'|'.$client['first_name'].'|'.$client['nickname'].'|'.$client['last_name'].'">
        '.$client['first_name'].' ('.$client['nickname'].') '.$client['last_name'].'
         <br />';


   } // foreach($client

} // if empty 

?>

Here is the php that calls the function:

if (isset($_POST['exist_to_class'])){
if (empty($_POST['client_data']) === true){
    $errors [] = 'You much select a client to be added to the class.';
} else {
    if (isset($_POST['client_data']) && !empty($_POST['client_data']));
    foreach ($_POST['client_data'] as $cd){
     exist_client_to_class($cd);
     header('Location: view_class.php?class_id='.$class_id.' ');

} // foreach $cd

} // else

} //isset

And here is my function that inserts the data into the db:

// add existing client to class  ----------------------------------------------------
function exist_client_to_class($cd){

list($user_id, $class_id, $first_name, $last_name, $nickname) = explode('|', $cd);
mysql_query("INSERT INTO `clients` (user_id, class_id, first_name, last_name, nickname, date) 
            VALUES('$user_id', '$class_id', '$first_name', '$last_name', '$nickname', CURDATE())");

}

First stab at a PDO prepared statement:UPDATE

function exist_client_to_class($cd){

try{

$stmt = $conn->prepare('INSERT INTO clients 
(user_id, class_id, first_name, last_name, nickname, date)
VALUES (:user_id, :class_id, :first_name, :last_name, :nickname, CURDATE())
');

list($user_id, $class_id, $first_name, $last_name, $nickname) = explode('|', $cd);

$stmt->execute(array(
        ':user_id' => $user_id, 
        ':class_id' => $class_id, 
        ':first_name' => $first_name,
        ':last_name' => $last_name,
        ':nickname' => $nickname
        )
        );
}

catch(PDOException $e) {
    echo 'Error: ' . $e->getMessage();
}

}

Here is the db connect file:

//PDO database connect
try {
$conn = new PDO('mysql:host=localhost;dbname=customn7_cm', '**********', '**********');
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$conn->exec("SET CHARACTER SET utf8");
} catch(PDOException $e) {
echo 'ERROR: ' . $e->getMessage();
}

Answer 1

This works for most sql injections: (from php.net)
decleration:
string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier = NULL ] )

       // Connect
       $link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password') OR die(mysql_error());
        // Query
        $query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
        mysql_real_escape_string($user),
        mysql_real_escape_string($password));

Answer 2

To put simply, Yes.

You aren't sanitizing or escaping your user data in anyway. you are using the old mysql_* community deprecated functions. You're best bet is to start using PDO or Mysqli

Read this article: PHP Database Access: Are You Doing It Correctly?