How do I write a name from Facebook into MySQL?

Question

I'm trying to run the following code:

mysql_query("INSERT INTO friend_data (UID, Name) VALUES ($friendUID, $friendName)");

where $friendUID is the user ID grabbed from Facebook, and $friendName is the name of the friend grabbed from Facebook. For some reason, $friendName just won't write to MySQL. $friendUID writes fine, and so does regular text. Does anyone have an idea why, or how to get this working? Relevant code is below:

$uid = $facebook->getUser();
$friends = $facebook->api('/me/friends');
$friendUID = $value["id"];
$friendName = $value["name"];
echo $friendName;
mysql_query("INSERT INTO friend_data (UID, Name) VALUES ($friendUID, $friendName)");

Thank you!

Answer 1

First, you should look into using MySQLi or PDO, as the PHP MySQL extension is quite old (and now deprecated in PHP5.5)
http://www.php.net/manual/en/mysqlinfo.api.choosing.php

The issue is that you are trying to insert raw text into the SQL query, which in addition to being an injection risk, causes an invalid statement:

Desired result:

INSERT INTO friend_data (UID, Name) VALUES (1234, "Friend Name");

Actual Result:

INSERT INTO friend_data (UID, Name) VALUES (1234, Friend Name);

You need to encapsulate the name value in quotes, as well as escape the values before inserting them:

$uid = $facebook->getUser();
$friends = $facebook->api('/me/friends');
$friendUID = mysql_real_escape_string($value["id"]);
$friendName = mysql_real_escape_string($value["name"]);
mysql_query("INSERT INTO friend_data (UID, Name) VALUES ($friendUID, \"$friendName\")");