On Sep 24, 2004, at 1:08 PM, Moonlight Embrace wrote:
I'm using this line in searchengine.php
mysql_query("INSERT INTO wsearch (usersearch) VALUES
('".$_REQUEST['search']."')") or die(mysql_error());
however, I'm confused as where to put it, either i get just search
querys and not the "go"s or I get a No Database Selected error.
Rather than mysql_query directly, try the wfQuery() wrapper function;
this will make sure the database connection is set up before sending
the query.
Also, as written you're open to SQL injection attacks. Never stick
strings directly into SQL; wrap it in an escaping function (eg the
wfStrencode() wrapper function).
-- brion vibber (brion @
pobox.com)