Prevent executing mathematical expression in input field when adding value to MySQL (PHP)

Question

I have set up the following form:

<form name="pric" method="post" action="up.php">
    <div id="prices_col">Season A<br>
        <input type='text' name="date0" maxlength="13" size="15" style="font-size: 9px;" value="<?php echo $_date[0]?>" />
    </div>
    <div align="middle"><input type="submit" value="EDIT"></div>
</form>

Information in database right now was like this ($_date[0] contains):

04/06 - 25/06

After posting the information, it decided to run the expression and I got something like:

-1.333333333

I use the following code:

$_date[0] = trim($_POST["date0"]);
mysql_query("UPDATE price SET _date=".$_date[0]." WHERE id='0'") or die(mysql_error());

How can I stop it from executing? I need to store the value as a plain text to the database.

Waygood if I write as you said, I get error: Parse error: syntax error, unexpected T_VARIABLE — user1384668, Jul 16 '12 at 14:17

score 1 · Accepted Answer · answered Jul 16 '12 at 14:17

1

mysql_query("UPDATE `price` SET `_date`='".mysql_real_escape_string(trim($_POST["date0"]))."' WHERE `id`=0") or die(mysql_error());

as _date is a text field and mysql_real_escape_string for security

answered Jul 16 '12 at 14:17

Waygood

2,657
2
15
16

are your quoting the date? i've added mysql_real_escape_string too. echo the sql first to see what your doing. $sql="....."; echo $sql; mysql_query($sql); – Waygood Jul 16 '12 at 14:22

Prevent executing mathematical expression in input field when adding value to MySQL (PHP)

1 Answers1