-4

I am new to php and trying to insert some values to my database table but query isn't working when I am passing values by php variables. The same query was working with static values.

I am making my database connection in init.php and the variable in there for same is $dbc.

<?php
require "init.php";

$mobile = "100004";
$email = "vikas4@web";
$password = "4444"

$stmt = mysqli_prepare($dbc, "INSERT INTO user_login (user_mobile, user_email, user_pwd) values(?, ?, ?)";
mysqli_stmt_bind_param($stmt, "sss", $mobile, $email, $password);
echo "after sql_query";

?>

For more detail, When I am replacing my $sql_query with below static code, it is inserting into database.

$sql_query = "INSERT INTO user_login (user_mobile, user_email, user_pwd) values('1000055', 'vikas55@web', '5555')";
Improve this question
5
  • Do you have any errors? Commented Jan 15, 2016 at 10:55
  • 3
    If you echo $sql_query you will see that the query is invalid. The wrong way to solve this, is to add quotes around the values in the string. The right way is to use prepared statements and passing the values are parameters. Commented Jan 15, 2016 at 10:55
  • Possible duplicate of PHP MySQL Query Doesn't Insert Commented Jan 15, 2016 at 10:55
  • So your problem is solved? Commented Jan 15, 2016 at 11:20
  • I didn't echo $sql_query. It is simple string in last. Commented Jan 15, 2016 at 11:24

2 Answers 2

Reset to default
5

You have to use quotes to insert string values

$sql_query = "INSERT INTO user_login (user_mobile, user_email, user_pwd) values('$mobile', '$email', '$password')";

But even this is not a good solution as you wqould be vulnerable to sql injections.

Use prepared statements to avoid these security issues:

$stmt = mysqli_prepare($dbc, "INSERT INTO user_login (user_mobile, user_email, user_pwd) values(?, ?, ?)";
mysqli_stmt_bind_param($stmt, "sss", $mobile, $email, $password);
mysqli_stmt_execute($stmt);

Prepared statements will handle all the escaping and quote encapsulation necessary to be safe.

If you'd like to dig into the topic you may read nice tutorial at http://www.w3schools.com/php/php_mysql_prepared_statements.asp

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

The quotes version is bad practice. Your other solution uses the object notation, while OP uses the functional libraries. This will be very confusing for a beginner.
I updated my main post with your code but not working till now. Could you please check and put the answer for query. @GolezTrol
Please add the mysqli_stmt_execute() from my example. It's needed to actually execute the sql statement.
Thanks all. Its working now. I used prepared statements and passing the values are parameters.
0

If user_mobile type defined int or other numeric types, you should not use '. so you can test this:

$sql_query = "INSERT INTO user_login (user_mobile, user_email, user_pwd) values($mobile, '$email', '$password')";
Improve this answer

1 Comment

It's very bad practise to do it like this. An answer similar to yours was already deleted. If you would do this, you would also have to escape quotes and other characters in the values. BTW, what you say about the numeric value is not true. You can use quotes around numeric values and MySQL will just convert it. Whether 'mobile' should be numeric at all is a completely different matter.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.