Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+1 vote
419 views
in Q2A Core by
edited by

This is how i store data in mysql via php form. I know its security risk.

Examples - $price = $_POST['price'];

OR

$price = array_key_exists('price', $_POST) ? $_POST['price'] : "";

and sql query is -

$insertqry = qa_db_query_sub("INSERT INTO test_table (title, price) VALUES ('$title','$price')");

How should i post data in latest php 7 and above version ?
I think escape string is deprecated or outdated.

Thanks for your help !

Q2A version: Latest

1 Answer

+4 votes
by
selected by
 
Best answer

Hello, the qa_db_query_sub function exists exactly for this purpose, however you're not quite using it correctly. You need to add placeholders to the query then pass the variables separately. Use # for a number and $ for a string.

So your example should be:

$insertqry = qa_db_query_sub("INSERT INTO test_table (title, price) VALUES ($, #)", $title, $price);

Also if you're using Q2A tables, use ^ to automatically add the correct table prefix, so ^posts becomes qa_posts.

by
Thank you scott !
...