0

The first example will add data to mysql database without any issue. The second block of code - where I try to use variables wont. Can someone please explain where I am going wrong?

<?php
$query  = "INSERT INTO subjects (menu_name,position,visible) VALUES ('Edit me',4,1)";
$result = mysqli_query($connection, $query);

Problem CODE:

<?php
$menu_name = "TEST";
$position = 5;
$visible = 1;

$query  = "INSERT INTO subjects (menu_name,position,visible) 
           VALUES ('{menu_name}',{position}, {visible})";
$result = mysqli_query($connection, $query);
Improve this question
4
  • What happens if you use $visible and $position? Are you getting any error messages? Commented Jan 23, 2015 at 12:01
  • why the curly brackets and no dollar sign ? Commented Jan 23, 2015 at 12:02
  • 1
    missing "$" on every single var inside the brackets. {menu_name} should be {$menu_name} and so on, despite you should first PREPARE the string before quering it. Parsing variables directly in the query is dangerous. read more: php.net/manual/en/pdo.prepared-statements.php (BIND parameters) Commented Jan 23, 2015 at 12:02
  • Thank you so much for your comments. I really appreciate the help. Have absolutely no idea why I failed to add the "$". Woods and trees and all that Commented Jan 23, 2015 at 13:17

2 Answers 2

Reset to default
2

*Answer updated with MySQLi prepare statement, thanks @h2ooooooo

<?php
//Open a new connection to the MySQL server
$db = new mysqli('host','username','password','database_name');

//Output connection errors
if ($db->connect_error) {
    die('Error : ('. $db->connect_errno .') '. $db->connect_error);
}

    $sql = "INSERT INTO subjects (menu_name, position, visible) VALUES (?, ?, ?)";

    if (!$stmt = $db->prepare($sql)) {
        echo 'Database prepare error';
        exit;
    }

    $stmt->bind_param('sss', $menu_name, $position, $visible);

    if (!$stmt->execute()) {
        echo 'Database execute error';
        exit;
    }

    $stmt->close();

I'd say for you to take a look in the many tutorials thorugh net, like these:

http://markonphp.com/simple-insert-mysqli/ and

http://www.sanwebe.com/2013/03/basic-php-mysqli-usage

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I did not realise this being new to php and MySQL. How do you "bind" variables to prevent malicious SQL statements?
Sorry, answer updated now. @RickTicky, take a look in the links also, step-by-step tutorials.
thanks very much! The more I look into this issue, the more important it seems. I appreciate you taking the time to help me and I hope that one day I will have the experience to do the same for others.
0

$query = "INSERT INTO subjects (menu_name,position,visible) VALUES ('".$menu_name."','".$position."', '".$visible."')";

try this

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.