[Chugalug] Newbie question

Dan Lyke danlyke at flutterby.com
Sat Aug 17 15:24:43 UTC 2013


On Fri, 16 Aug 2013 20:18:04 -0400
Randy Yates <lpcustom at gmail.com> wrote:
> Tyler, your SQL statement may be failing. Have you tried that
> statement manually in mysql? You may need to add VALUES like so:
> 
>    1. INSERT INTO sedan ( year, make, model, color, price)
>    values('{$_POST['year']}','{$_POST['make']}', '{$_POST['model']}',
>    '{$_POST['color']}', '{$_POST['price']}')";

I know nothing about PDO, and am not generally a fan of ORMs, but never
ever ever do this.

Use bound variables, or make sure that values put into SQl statements
get properly quoted.

Here's why: http://xkcd.com/327/

Dan


More information about the Chugalug mailing list