Proper way to insert variables into a MySQL insert statement [duplicate]

StackOverflow https://stackoverflow.com/questions/20930464

Question

I seem to always have issues getting variables into my MySQL querys.

Is there a good tutorial or could someone show me the proper way of getting variables into the statement?

The main issue I am having is with the different types of quotes (' or ").

Here is my query:

$sql = "INSERT INTO classes (
                        class_name, 
                        user_id, 
                        professor_name, 
                        class_start, 
                        class_end,
                        school_period) 
        VALUES('" . $className 
                . "','" . $userID 
                . "','" . $classProfessor 
                . "','" . $classStart 
                . "','" . $classEnd 
                . "','" . $classPeriod . ");)" 
                . '"';
Was it helpful?

Solution 3

Use prepared statements: http://php.net/pdo.prepared-statements as that is the best way to execute sql

OTHER TIPS

Use prepared statements:

<?php
$stmt = $dbh->prepare(
    "INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);

// insert one row
$name = 'one';
$value = 1;
$stmt->execute();

Please do not try to make a correct SQL string yourself. This is how you get SQL Injections.

How to use placeholders

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top