I can't define a variable correctly in PHP

I made a little quiz with PHP and MySQL. When the quiz is finished, the user receives this:

    Final Score:<?php echo $_SESSION['Score']; ?>

Then, I also wanted to put all the results in a table, so I tried this:

$sql = "INSERT INTO `Results` (Username, Score) VALUES ('$username', $score)";

But I don't know how to put this $_SESSION['Score'] = $score to insert the result into the table.



answered 4 months ago GiantJelly #1

As you mentioned that you're not actually building a website, so SQL injection vulnerability is fine you should be able to just do

$sql = "INSERT INTO `Results` (Username, Score) 
VALUES ('".$username."', '".$_SESSION['Score']."')";

This works by escaping the SQL string and inputting your variable

Edit --

Id just like to clarify in case anyone else sees this, this is not the way you should do SQL queries and it has many security vulnerabilities.

More info - http://php.net/manual/en/security.database.sql-injection.php

comments powered by Disqus