I have created a simple function to post data into a mysql table using a function and an array. The array is built from $_POST items on a form. What I would like to know is: Are there potential security holes that I am not seeing?
Here is the function:
public function add_sql_data($table,$array){
$tot = count($array);
$c=0;
foreach($array as $k => $v){
$fields = $fields.$k;
$values = $values."'".$v."'";
$c++;
if($c < $tot){
$fields = $fields.",";
$values = $values.",";
}
}
$sql = "INSERT INTO ".$table."(".$fields.") values(".$values.")";
if (mysql_query($sql)){
return "succesfull";
}else{
return "error";
}
}
I have tried to use the small amount of PHP I know to create a SQL injection, but it seams to me that the array is actually stopping any harmful syntax to run. Thanks!!