php - Insert into table with prepared statement -
i'm trying insert data form database using php , mysqli can't working! database has 4 fields: date, title, content, id. id field auto-increment.
i've checked connection , that's working fine. i've echoed form field values , $blogdate variable created, they're fine too.
here's prepared statement:
if ($newblog = $mysqli->prepare('insert blog values ($blogdate, $_post["btitle"], $_post["bcontent"])')) { $newblog->execute(); $newblog->close(); }
it's not inserting values table.
you generating sql containing strings not quoted or escaped.
don't insert data directly sql string, use placeholders (?
) , bind parameters before executing.
$query = "insert blog values (?, ?, ?)"; $stmt = $mysqli->prepare($query); $stmt->bind_param("sss", $blogdate, $_post["btitle"], $_post["bcontent"]); $stmt->execute();
Comments
Post a Comment