Using combined variable in bind param doesnt work

Question

When I use a php variable that is a multiple variables combined into one and use that variable in bind param, it doesnt work and it shows an error.

Let me explain:

I am storing the post data, sql columns and sql table details in a variable like this:

$user_input_ab = $_POST['ab'];
$user_input_cd = $_POST['cd'];
$user_input_ef = $_POST['ef'];
$user_input_gh = $_POST['gh'];


$sqlTable = 'abcd_list';
$sqlColumns = 'ab, cd, ef, gh';
$sqlValues = $user_input_ab .','. $user_input_cd .','. $user_input_ef .',' . $user_input_gh;

SQL Prepare Statement like this:

$stmt = $mysqli->prepare("INSERT INTO $sqlTable ($sqlColumns) VALUES (?, ?, ?, ?)");

The above works so far. But if I used the combined variable $sqlValues in bind statement, it doesnt work:

$rc = $stmt->bind_param("ssss", $sqlValues);

The above doesnt work. It gives the following error:

Warning: mysqli_stmt::bind_param() [mysqli-stmt.bind-param]: Number of elements in type definition string doesn't match number of bind variables

But if I change bind_param to this, then it works:

$rc = $stmt->bind_param("ssss", $user_input_ab, $user_input_cd, $user_input_ef, $user_input_gh);

So why isint it working? The error says that the number of elements arent matching, but when I use $sqlValues, should that populate the 4 elements in it?

If you are wondering why I am using variables, its just to make editing easier in future so I can keep the rest of the sql queries intact.

Answer 1

It's not working correctly because it is only seeing one parameter, it assumes that $sqlValues is a single string. (AKA it's trying to store them all in the ab column).

I don't believe there is any other way about other than using an array but

$rc = $stmt->bind_param("ssss", $user_input_ab, $user_input_cd, $user_input_ef, $user_input_gh);

(which is what you have) is much simpler.