$sql = 'INSERT INTO testtable ('fieldone', 'fieldtwo') VALUES ('.$_REQUEST["companyname"].','two');';

What am i doing wrong here? 

Parse error:  syntax error, unexpected T_STRING in /home/test.

php

  on line 22

When you want to deref a complex variable (an array, object reference, method or function) you need to enclose the entire thing in curly braces. Here is a better way to do that:

$sql = "insert into testtable(field1, field2) values('{$_REQUEST["companyname"]}', 'two')";

However: If that $_REQUEST variable is coming directly from a POST form, you are opening yourself to a huge security risk. So huge, in fact, that if you ever do this I'd like you to give me the url so that I can gain utter control of your MySQL server and have another borgbot for free. But I digress.

$company = trim($_REQUEST['companyname']);
$company = preg_replace('/[^A-Z0-9 -._]/i', $company);

If this is too drastic, you can probably get away with
$company = mysql_escape_string(trim($_REQUEST['companyname']))

THEN
$sql = "insert into testtable(field1, field2) values('$company', 'two')";

but I wouldn't do it.

Are there any particular failings in mysql_escape_string that your aware of Perk?

Perk used to chide me for doing everything on one line.

well, whole programs written to ascertain the meaning of 42 on a single line are a bit different than nesting a few string handling routines in a single line, no?

And for clarification: I put LOTS on a single line for my own self, if it's very readable. This is because I'll get a tiny-tiny performance bump from

PHP

 , whereas lots more lines to compile will take a tiny-tiny performance hit. If I'm doing something for anyone else to look at I explode lines so they can read it, or if the line itself is tricky enough that I can see I won't understand my own code in 3 months then I explode it as well.

i like as little in the way of my 'tardedness as possible,
so i keep it line by line until its done forever (like that happens)
then at the end i will try to optimize but thats so difficult
for me in

php

  cause of the symbolyness..  someone needs
to invent their own robotic language without so many symbols
so that you can just just start coding and have fun without
it puking spaces after semi colons out back at you ...

thanks, perk that werked i needed the #123 #125 tip..

 

nw lad

RE: $_REQUEST from post

SO... How can i not expose my turd chewer then?

Well, your post variables will still come up as normal because that's how HTTP works. But the goal is to isolate the inbound $_POST variables from actuary code ie., NEVER let code come straight from your GET or POST variables and touch/modify/execute

PHP

  code or MySQL stuff. That's just a recipe for disaster. For example - if a GET parameter defines what page I will show, then I will look at the inbound $_GET value in a switch statement and then do what I expect OR I will bounce somewhere with a hack notification. See, I know what I should see when a page request comes in - it is laziness to not confirm that what is coming in is within *exactly* what I expect. That's all.

Thank God that most people use poor coding practices though, or I would be out of business.