The code here is still incomplete, because I'm still going to ask you which of the correct mysql escape string format / syntax is used. I am still new to php and I want to learn how to avoid sql injections. Is this code correct?
$con = mysql_connect("localhost","root","mypwd"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("Hospital", $con); $sqlque="INSERT INTO t2 (HOSPNUM, ROOMNUM, ADATE, ADTIME, LASTNAME, FIRSTNAME, MIDNAME, CSTAT, AGE, BDAY, ADDRESS, TELNUM, SEX, STAT, STAT2, STAT3, STAT4, STAT5, STAT6, STAT7, STAT8, NURSE) VALUES ('$_POST[hnum]', '$_POST[rnum]', '$_POST[adate]', '$_POST[adtime]', '$_POST[lname]', '$_POST[fname]', '$_POST[mname]', '$_POST[cs]', '$_POST[age]', '$_POST[bday]', '$_POST[ad]', '$_POST[telnum]', '$_POST[sex]', '$_POST[stats1]', '$_POST[stats2]', '$_POST[stats3]', '$_POST[stats4]', '$_POST[stats5]', '$_POST[stats6]', '$_POST[stats7]', '$_POST[stats8]', '$_POST[nurse]')"; mysql_real_escape_string($_POST[hnum]), mysql_real_escape_string($_POST[rnum]); mysql_real_escape_string($_POST[adate]);