The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Back End Create a condition between SAVE and SAVE&PUBLISH Re: Create a condition between SAVE and SAVE&PUBLISH




$title = $_POST;
// . . .
“INSERT INTO posts … VALUES(‘$post_title’ …

First and foremost, **never put user-supplied data directly into SQL**. Your current code is wide-open to SQL injection attacks (worst case) and any number of SQL errors (best case).

**Always** (always, always):

1) *Validate*. Make sure the info you got is the info you expected. If you asked for a name, don’t accept submissions with HTML. If you asked for an email address, don’t accept submissions with tabs or line breaks. If you asked for a number, don’t accept any non-digit characters.

Perhaps the most important thing is, when you have form fields with a known set of values (e.g., a set of checkboxes or a drop-down menu), then the submitted value must be one of those *exact* values. Don’t “fix” anything. If you had a checkbox for “yes” or “no” and the word “green” came back, that means someone is messing around with your form. **Throw the whole thing away**. Ignore it completely: don’t even give an error message. If you are keeping track of your users, that user needs to be permanently banned.

2) *Sanitize*. When putting data into SQL statements, you need to make sure MySQL treats your data *as data*. This is where functions like `real_escape_string` come in; to make sure names like `O’Brien` or `Smith’ OR 1=1–` don’t cause any problems.

Something else you need to consider: this appears to be a form for posting comments/articles, correct? You need to validate what sort of HTML you allow. Allowing *any* html (i.e., not checking) means that users basically have free reign on your website – they can add HTML, CSS or JavaScript at will. There are serious [XSS risks]( here.


Next, [ext/mysql (all `mysql_*()` functions) is **deprecated**]( and should not be used in new code. For performance and security reasons, you should take the time to update any existing code to use [ext/mysql**i** or PDO]( as well.



I know you want dates/times in your local time, but make sure that your DB is using the same time zone. If you use one timezone and MySQL uses another, you’ll have corrupt data. It is *almost always* best to use UTC time *everywhere* and convert to local times when necessary.


//insert values from form to server
mysql_query(“INSERT INTO posts (`post_title`, `post_content`, `post_page`, `date_posted`) VALUES(‘$post_title’, ‘$editor_data’, ‘$page’, ‘$date_time’)”);

You should check if this actually worked or not.