Use prepared statements: http://php.net/pdo.prepared-statements as that is the best way to execute sql
Proper way to insert variables into a MySQL insert statement [duplicate]
Question
I seem to always have issues getting variables into my MySQL querys.
Is there a good tutorial or could someone show me the proper way of getting variables into the statement?
The main issue I am having is with the different types of quotes (' or ").
Here is my query:
$sql = "INSERT INTO classes (
class_name,
user_id,
professor_name,
class_start,
class_end,
school_period)
VALUES('" . $className
. "','" . $userID
. "','" . $classProfessor
. "','" . $classStart
. "','" . $classEnd
. "','" . $classPeriod . ");)"
. '"';
Solution 3
OTHER TIPS
Use prepared statements:
<?php
$stmt = $dbh->prepare(
"INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);
// insert one row
$name = 'one';
$value = 1;
$stmt->execute();
Please do not try to make a correct SQL string yourself. This is how you get SQL Injections.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow