1

I'm trying to insert values in the contents table. It works fine if I do not have a PHP variable inside VALUES. When I put the variable $address inside VALUES then this doesn't work

$lat= $_GET['lat']; //latitude
$lng= $_GET['lng']; //longitude
$address= $_GET['nom']; // this is an exmple 
    // $address= getAddress($lat,$lng); real fonction my probleme is how to call $address in values
    
   $bdd->exec('INSERT INTO user(nom, prenom, Gsm, Email, Sexe, address) VALUES(\''.$_GET['nom'].'\' , \''.$_GET['prenom'].'\' , \''.$_GET['mobile'].'\' , \''.$_GET['Nemail'].'\' , \''.$_GET['sexe'].'\', '$address'   )');

Improve this question
4
  • 2
    This method is naive, prone to syntax errors, and is also very vulnerable to SQL injection attacks. You should use parameterised queries and prepared statements to help prevent attackers from compromising your database by using malicious input values. bobby-tables.com gives an explanation of the risks, as well as some examples of how to write your queries safely using PHP and popular DB libraries. Never insert unsanitised data directly into your SQL. Commented Sep 21, 2017 at 8:46
  • Please provide the error you are getting Commented Sep 21, 2017 at 8:47
  • ( ! ) Parse error: syntax error, unexpected '$address' (T_VARIABLE) in C:\wamp\www\amine\api.php on line 40 Commented Sep 21, 2017 at 8:50
  • '.$address.' would fix that. You forgot the dot to do string concatentation. But it would still leave your code wide open to hacking, and also prone to SQL syntax errors if people put such wild and crazy things as, for example, quote marks in the input. The answer provided is definitely the way to go. Commented Sep 21, 2017 at 9:46

1 Answer 1

Reset to default
3

You would prefer prepared statement, safer and cleaner.

 <?php
    $stmt = $dbh->prepare("INSERT INTO user(nom, prenom, Gsm, Email, Sexe, address) VALUES(:nom, :prenom, :mobile, :Nemail, :sexe, :address)");
    $stmt->bindParam(':nom', $_GET['nom'];
    $stmt->bindParam(':prenom', $_GET['prenom'];
    $stmt->bindParam(':mobile', $_GET['mobile'];
    $stmt->bindParam(':Nemail', $_GET['Nemail'];
    $stmt->bindParam(':sexe', $_GET['sexe'];
    $stmt->bindParam(':address', $_GET['address'];
    $stmt->execute();
    ?>
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

can i do like this $stmt->bindParam(':address', $address);
Yes you definitely can

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.