Here is a simple way to insert into a database that isn't much harder than using string concatenation - which we all know is very dangerous due to SQL injection attacks.
Put the code snippet into
Now, in a script handling a form post, such as
<?php require_once("database.php"); // Get session and post data to insert - no need for mysql_real_escape_string or other escaping // (Note: Passwords should still go through password_hash() or crypt() though!) $member_id = $_SESSION['member_id']; $response_to = isset($_POST['response_to']) ? $_POST['response_to'] : (isset($_GET['response_to']) ? $_GET['response_to'] : ''); $subject = isset($_POST['subject']) ? $_POST['subject'] : ''; $post = isset($_POST['post']) ? $_POST['post'] : ''; // Use the db_query function from database.php with a parameter array to safely embed values into // the query without string subsitution. I seem to remember parameter binding doesn't quite work // properly without the reference operator (&) on each variable in this array but can't test at // the moment. $result = db_query('INSERT INTO posts(author, response_to, subject, post) VALUES(?, ?, ?, ?)', array(&$member_id, &$response_to, &$subject, &$post));
Even better of course would be to use a framework such as Laravel but for simple scripts this is very safe to use.
Edited by pritaeas: Changed to code snippet.