php - Insert into table with prepared statement -


i'm trying insert data form database using php , mysqli can't working! database has 4 fields: date, title, content, id. id field auto-increment.

i've checked connection , that's working fine. i've echoed form field values , $blogdate variable created, they're fine too.

here's prepared statement:

if ($newblog = $mysqli->prepare('insert blog values ($blogdate, $_post["btitle"], $_post["bcontent"])')) {   $newblog->execute();   $newblog->close(); } 

it's not inserting values table.

you generating sql containing strings not quoted or escaped.

don't insert data directly sql string, use placeholders (?) , bind parameters before executing.

$query = "insert blog values (?, ?, ?)"; $stmt = $mysqli->prepare($query); $stmt->bind_param("sss", $blogdate, $_post["btitle"], $_post["bcontent"]); $stmt->execute(); 

Comments

Popular posts from this blog

css - Which browser returns the correct result for getBoundingClientRect of an SVG element? -

gcc - Calling fftR4() in c from assembly -

.htaccess - Matching full URL in RewriteCond -