-
Notifications
You must be signed in to change notification settings - Fork 0
/
enter.php
executable file
·55 lines (45 loc) · 1.67 KB
/
enter.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
<?php include 'database.php'; ?>
<?php
// This is the "prepared statement" version of this file
if (isset($_POST['title']) && isset($_POST['artist'])) {
// sanitizeMySQL() is a custom function, written below
$title = sanitizeMySQL($conn, $_POST['title']);
$artist = sanitizeMySQL($conn, $_POST['artist']);
$genre = sanitizeMySQL($conn, $_POST['genre']);
$mood = sanitizeMySQL($conn, $_POST['mood']);
// create a PHP timestamp
date_default_timezone_set('America/New_York');
$date = date('m-d-Y', time());
// the prepared statement - note: 6 question marks represent
// 6 variables we will send to database separately
$query = "INSERT INTO songs (title, artist, genre, mood)
VALUES (?, ?, ?, ?)";
// prepare the statement in db
if ( $stmt = mysqli_prepare($conn, $query) ) {
// bind the values to replace the 6 question marks
// note that 6 letters in 'sssids' MUST MATCH data types in table
// Type specification chars:
// i - integer, s - string , d - double (decimal), b - blob
mysqli_stmt_bind_param($stmt, 'ssss',
$title,
$artist,
$genre,
$mood
);
// executes the prepared statement with the values already set, above
mysqli_stmt_execute($stmt);
// close the prepared statement
mysqli_stmt_close($stmt);
// close db connection
mysqli_close($conn);
} // end if prepare
} else {
echo "Failed to enter!";
} // end if isset
// erase any HTML tags and then escape all quotes
function sanitizeMySQL($conn, $var) {
$var = strip_tags($var);
$var = mysqli_real_escape_string($conn, $var);
return $var;
}
?>