In Processing and Using User Data,” earlier in this chapter, we showed you an example that writes data to the music database. This section briefly discusses a common problem that can arise when writing to web databases and shows you a simple way to avoid it.

Consider a simple script, process.php, that writes an artist to the music database:

<?php
if(!empty($_GET))
{
  // Include database parameters and related functions
  require_once("../db.php");
  $DB_databasename='music';
  // Connect to the MySQL DBMS and use the wedding database - credentials are
  // in the file db.php
  if(!($connection= mysqli_connect($DB_hostname, $DB_username, $DB_password,
    $DB_databasename)))
    showerror($connection);

  // Untaint the artist name, and use at most 15 characters
  $artist_name = clean($_GET["artist_name"], 15);

  // Add the artist, using the next available artist_id
  $query="INSERT INTO artist (artist_id, artist_name) ".
    "SELECT MAX(artist_id)+1, '$artist_name' FROM artist";
  if (! @ mysqli_query($connection, $query))
    die("Couldn't add artist");

  print "Added artist: ".$_GET['artist_name'];
}
else
{
  print "No artist name was provided";
}
?>

Note that we’ve included the db.php file for the database parameters and the definition of the clean() function to untaint data from the user.

Figure 14-3 shows what happens when the user submits the form we described earlier in Processing and Using User Data.” The web browser submits the artist name and the album name provided by the user, and requests the ...