Using prepared statements on insert query

Asked Sep 26 '14 at 07:11

Active Sep 26 '14 at 07:11

Viewed 38 times

I have a function which inserts data into a mysql database table. How can I use mysqli prepared statements to make sure the values are safe?

//Inserts a new row into the database.
//takes an array of data, where the keys in the array are the column names
//and the values are the data that will be inserted into those columns.
//$table is the name of the table.
public function insert($data, $table) {

    $columns = "";
    $values = "";

    foreach ($data as $column => $value) {
        $columns .= ($columns == "") ? "" : ", ";
        $columns .= $column;
        $values .= ($values == "") ? "" : ", ";
        $values .= $value;
    }

    $sql = "insert into $table ($columns) values ($values)";

    $this->mysqli->query($sql) or die(mysql_error());

    //return the last ID used in the database.
    return $this->mysqli->insert_id;

}

asked Sep 26 '14 at 07:11

Ciprian

3,066
9
62
98

1

You could definitely start by [reading the docs](http://au2.php.net/manual/en/mysqli.quickstart.prepared-statements.php). – Marty Sep 26 '14 at 07:14
You can use the `mysqli_stmt_bind_param` http://php.net/manual/en/mysqli-stmt.bind-param.php – iFarbod Sep 26 '14 at 07:18

Using prepared statements on insert query

0 Answers0